Overview

overview

7

Static

static

3

267d269bc2...24.exe

windows7-x64

7

267d269bc2...24.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    101s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    267d269bc2d169c80bfd00cac590ff24.exe

  • Size

    431KB

  • MD5

    267d269bc2d169c80bfd00cac590ff24

  • SHA1

    c4dc29015be3df9961248b162ac00e0d23c28648

  • SHA256

    6b59a30ffbb59173a3e379802c5af63956a5db9de4449e54089b92279c97bb97

  • SHA512

    af3c9f6c497d108ee0c81fa9e32cd7de992d8d457e4694834e84b72b0261535160efe78e9023d6fcd2d9771f7dc208be42a258e1786c4989b3d273eb8ce06c3e

  • SSDEEP

    12288:n7/CbvBkSiu436qv618YBHkNBX6jMcyv+ug:n7abJkS1S6qy18sQBX6Yz+/

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\267d269bc2d169c80bfd00cac590ff24.exe
    "C:\Users\Admin\AppData\Local\Temp\267d269bc2d169c80bfd00cac590ff24.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3772
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe" Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3516
      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3628
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe" Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4992
    • C:\program files (x86)\internet explorer\wmpscfgs.exe
      "C:\program files (x86)\internet explorer\wmpscfgs.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2384
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:396 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1704
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:396 CREDAT:17418 /prefetch:2
      2⤵
        PID:2940
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:396 CREDAT:17426 /prefetch:2
        2⤵
          PID:4044
      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
        1⤵
          PID:4428

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
          Filesize

          447KB

          MD5

          478e829603169ca7e2a209f9b2d7534f

          SHA1

          d7b571868c1fbdf394043cdfb6de2ec69916175e

          SHA256

          406c4b654b7b3a35410c1e0cc5516921099aec9cb41e099b6c6bea31ddb0d377

          SHA512

          189f77e3785aa3d5f13c5b8a373ee8b88f75bfc82eea756535e19e420afc1fc3b65f78aa4217068b62c69fcd5ccbe5aa0fca64b2c84c3c97e96ad162b012b073

          Download Submit

        • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
          Filesize

          382KB

          MD5

          7200540fcb942d14fab80b6227a70cfb

          SHA1

          f6d9538f6074d416da095abf96c5da2dda63a62a

          SHA256

          9b25cec495e0ab6cc80d05a9e5f6b707f7480fd3697b1c9c87d2ed8d7d94982b

          SHA512

          10825fe8878b20357a97727ba9cbb11c2704862d6ec950d1c40a86adf1436934adbba489a8f48a7464ec67b1b04a5363e9b9250cdc844ca1699ea2315f9d90e1

          Download Submit

        • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
          Filesize

          92KB

          MD5

          54c0ef98cfc253d3e036126e3611a9be

          SHA1

          dd11dfb6c1d3ac53d1848e46e8dbb2984f572be3

          SHA256

          77b9206dfdb997c25f3793ae860bba6a9eabed82db179cd3210259ae3ced5a56

          SHA512

          199040f23651f91ec521689c8377c4de5ee04dc27ae1e82d06fe4eb5db441d9dc2a8d2c51d6161c6a7100766a435560b86f1879ab0d81a8bdef96b5b77838365

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
          Filesize

          2KB

          MD5

          e2338b41de693dff81d4e11b82aa2fe4

          SHA1

          3490c0156c8dd0b51ad408f21e693c29f6b3fc5b

          SHA256

          6e55702006e82cbc2d8f247fb4e354eee9a431743ded313922a3af91f7773110

          SHA512

          84feba58d227f878a06e97ce838245ef57c53421531386bc98418aefb65662da6dea75444fc6a3f93a466568e62f1dac5a5ccc08584a10dae98c58560fd8e422

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
          Filesize

          450B

          MD5

          4a6534db440c0b946557fe596d258e7b

          SHA1

          211c24fb57d95e9e7f1157b252efbbbc5bcdf1ca

          SHA256

          36d76e4ef1161859d4be3a1890555f02cf0a53a094c23984cc77d4c3ccb54841

          SHA512

          230dac224b5bcf22cfdb051ad8021397ec677c2210a63d3a251f7ad479ff6bb11ce509b5ae83287fcbee4a5941ac7e8345f078b75f23efce55725269ba19f496

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0SGFK56Z\px[1].js
          Filesize

          476B

          MD5

          d2183968f9080b37babfeba3ccf10df2

          SHA1

          24b9cf589ee6789e567fac3ae5acfc25826d00c6

          SHA256

          4d9b83714539f82372e1e0177924bcb5180b75148e22d6725468fd2fb6f96bcc

          SHA512

          0e16d127a199a4238138eb99a461adf2665cee4f803d63874b4bcef52301d0ecd1d2eb71af3f77187916fe04c5f9b152c51171131c2380f31ca267a0a46d2a42

          Download Submit

        • \??\c:\program files (x86)\adobe\acrotray .exe
          Filesize

          470KB

          MD5

          d33f38d25081dfd1ee0405a5129f805c

          SHA1

          5b64147b0aa06471ca85c96e27501ff83feb6041

          SHA256

          caaed9824b011bd601c8504273c22c6e1355cc4e5012bf1002acb783e1f69caa

          SHA512

          3be2d7584a4d684f1eb2ad7393ee7155d756dd4299efefc2ac22c8e675cc08a791276190f5f757dd4f6ad5df8c60647a6a59a2f2f3895496995d56fe01ed1910

          Download Submit

        • \??\c:\program files (x86)\adobe\acrotray.exe
          Filesize

          475KB

          MD5

          6b3cdaf5ea76f6a6268812a666cbf5d6

          SHA1

          1f692369e750f3a308977f32a57f39b90cae377b

          SHA256

          53209dd9e822cfc327a427414e26faff651b2607955ab6a82a00d9a4ce11a6a0

          SHA512

          368b6d5322c4030a869b12a9f3b2175e267cb3722ee2ad96ba7a3389abc1806895e10ec771bfb60207978c66971a811f9acdcbc3a2a23a212b37663fe9528ede

          Download Submit

        • memory/228-0-0x0000000010000000-0x0000000010010000-memory.dmp

          Filesize

          64KB

          Download