Overview

overview

7

Static

static

3

267d269bc2...24.exe

windows7-x64

7

267d269bc2...24.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 14:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    267d269bc2d169c80bfd00cac590ff24.exe

  • Size

    431KB

  • MD5

    267d269bc2d169c80bfd00cac590ff24

  • SHA1

    c4dc29015be3df9961248b162ac00e0d23c28648

  • SHA256

    6b59a30ffbb59173a3e379802c5af63956a5db9de4449e54089b92279c97bb97

  • SHA512

    af3c9f6c497d108ee0c81fa9e32cd7de992d8d457e4694834e84b72b0261535160efe78e9023d6fcd2d9771f7dc208be42a258e1786c4989b3d273eb8ce06c3e

  • SSDEEP

    12288:n7/CbvBkSiu436qv618YBHkNBX6jMcyv+ug:n7abJkS1S6qy18sQBX6Yz+/

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 23 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\267d269bc2d169c80bfd00cac590ff24.exe
    "C:\Users\Admin\AppData\Local\Temp\267d269bc2d169c80bfd00cac590ff24.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\program files (x86)\internet explorer\wmpscfgs.exe
      "C:\program files (x86)\internet explorer\wmpscfgs.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1336
      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {25AB96B9-63BC-4797-AC82-027C0FEB4F4A} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2660
    • \??\c:\program files (x86)\internet explorer\wmpscfgs.exe
      "c:\program files (x86)\internet explorer\wmpscfgs.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2284

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
          Filesize

          451KB

          MD5

          3837b2531d9b69719a833aa8f645bd55

          SHA1

          1f89781a240323c1a22b2438b451d2a527238216

          SHA256

          ad1d6d2e9037eaa8109381603a38b1ab5d4c1e61090b0b9ff55cd7ff707dc2bd

          SHA512

          9c392a2924a9cfdf95980b6134f2c3fedf1643229010ed23dc2bedd614adf8af5e329a324d46d2fa23435d337f47b23acfb02aa7b7a37755825807630cafecc0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cab933D.tmp
          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar936E.tmp
          Filesize

          171KB

          MD5

          9c0c641c06238516f27941aa1166d427

          SHA1

          64cd549fb8cf014fcd9312aa7a5b023847b6c977

          SHA256

          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

          SHA512

          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

          Download Submit

        • \??\c:\program files (x86)\adobe\acrotray .exe
          Filesize

          464KB

          MD5

          1e66e467eb37bc4a589c125c937243a9

          SHA1

          57dfa0ebed4c51a763829e05b7322e400f3fd19a

          SHA256

          ebe943f0a8a7219e2ffb22cc74bb44483ee16594f4499fe6442929ed2e7e04ba

          SHA512

          f97f41dd12651907a8e974ff433068d40f61f20badac89585116387acd5f109688fc44232a3c0a3b046b1dec6b3ec14edac1b79c838f3a8ac6a18174d8fc6fd8

          Download Submit

        • \??\c:\program files (x86)\adobe\acrotray.exe
          Filesize

          482KB

          MD5

          63ebfd2ed7f85a55a37e7224c5240c64

          SHA1

          61b5099098440571a2cb3d2697edc365ca0c51ed

          SHA256

          6f9d6c407dcd04b05d0b960b470a75cd1d2799d8beb373340b014e0e503fd859

          SHA512

          00883a64501e21282cf370bf8e75a74484327bdbd19742ba2f5fb82fb7e30109a9ee504352145c4bebb76078fd87a9655be375025b0f31ce7ad853f41801eeb7

          Download Submit

        • \??\c:\program files (x86)\microsoft office\office14\bcssync.exe
          Filesize

          433KB

          MD5

          08ecc94c920cbab9569d2aefa9ce5335

          SHA1

          78d424defe6c00841f7381136868e67492d741ac

          SHA256

          1f4ffb6770aa3fd0e8fcfb1387fd6a7b6a7c838ca6f2d16af1729dc754bb91a7

          SHA512

          dd83413abf92873ed00949da7e471d0fc29b947e99e84cb6b98bc923a77c408491ae8d3788b683c1358a212a5def5ae42a3b686a73583cc8b39c8877385dbec0

          Download Submit

        • memory/1628-0-0x0000000010000000-0x0000000010010000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2940-50-0x00000000008B0000-0x00000000008B2000-memory.dmp

          Filesize

          8KB

          Download