Overview

overview

8

Static

static

3

093e57286e...20.exe

windows7-x64

8

093e57286e...20.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 00:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    093e57286e10c4e666db46cd80e83c20.exe

  • Size

    27KB

  • MD5

    093e57286e10c4e666db46cd80e83c20

  • SHA1

    f9eceb549e7c6f3609da0f354b65c9b5eb68d0dc

  • SHA256

    a2e97424599065a0b2f1c25f3881d0f42ba7abd4750ab6b682fb524a3834eaec

  • SHA512

    ca362631cf58b3f0ee082a67c57c6097aca4a1e8e2f4039b1fcf60202a1429086516ed2797b4e5a56c7d816ef4ef23939ca14d114fbf9dcefe581f87be64d0c2

  • SSDEEP

    768:81BcNG1uZNMVPUNHDejyRnFm0/TKKodowr:8GpHMKlnUuydo8

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\093e57286e10c4e666db46cd80e83c20.exe
    "C:\Users\Admin\AppData\Local\Temp\093e57286e10c4e666db46cd80e83c20.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Windows\system32\wincheck071204.dll" mymain
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\mycjjk.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Windows\SysWOW64\wincheck071204.exe
          "C:\Windows\system32\wincheck071204.exe" i
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1208
          • C:\program files\internet explorer\iexplore.exe
            "C:\program files\internet explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:568
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:568 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3036
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\jkDelme.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • Runs ping.exe
              PID:2488
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • Runs ping.exe
              PID:344
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • Runs ping.exe
              PID:2660
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • Runs ping.exe
              PID:2788
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • Runs ping.exe
              PID:2604
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • Runs ping.exe
              PID:2036
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              6⤵
              • Runs ping.exe
              PID:2796
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\jkDelme.bat" "
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0adfa9303af6140225248c9ac32dd675

    SHA1

    120c940f4165fe0d6c2f64d047f3d21d3ef2faaf

    SHA256

    5f87fcc261c51aefefb50ade27cb18baeeb53e10e9e2fe47d3d494fe075c9d25

    SHA512

    3224113a01bbc57ee34f073d87798e25402e66c3b29c348d5810879fdb4a7b2575b7338f4615a011b53ca7b971a28cdf2bf9751b3d43913014a13757ae08ac5d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    74a7e9964aa2594b450565dc38451ef4

    SHA1

    1ce60bbae762c62958ebc68cb493d6f76d9e3802

    SHA256

    5dec992dce16f26277487627bc2423c1e680819fb961fbc498c0259be42948f5

    SHA512

    04f0a513d3d1609b91a346019ba6b7b1bc5c0ce52c7a4212a2524c938504276787c3fdb1bbcef138b00ed1e591d6a85f9bd9c69945ee67ad7e109efb1ca0a14a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    efea119bdc186b84999b4b0aea8f528a

    SHA1

    32e0140394a0753956f575c14b96203cba5b5c91

    SHA256

    342371c23b8b118d0d6a1fde15a5f1079e703d8cf8e65f6b8192713d82940d0e

    SHA512

    8ad7de67cd80f7cb559256fd3d7e4efbfc1caeb7290a0955f19a4d5676c337e26aedbc03974c0e5730b96b1ba15769bfb7f461b633da0c2d731f1c41658b42b2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d9a7bee37058e19bd56813c2707eaf7e

    SHA1

    536151851889c1a69dc178cc5a9ad4dd9d4d6a23

    SHA256

    517cbbfbb45d45adb7dbfe9321b21bfbe2bd51d227a74753236fcf8a88d4a82f

    SHA512

    d1a13f359faa8e39a25eea53f9167e66c53154b955a8f5c14895fecd3e2428a6f33f3c79ad0c58e583f07759829b4e07be3e5dd119228c7df7b6200623d178b7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    28c70d2ee90fdc2b3efe1ff0505338e8

    SHA1

    f7110dbe851437269bbb18c1df787f465e7dd71d

    SHA256

    f8cc90a6b63e10f817f090e2efaaef0007385a6976ac32449b167706afb24b57

    SHA512

    28a75f8cb1bd9aaf17323a111467c9ee605cd613cc4e4d1fdbe7a6779c8e55425bcad2d446b3d5179089cfb81c44e79bafdb53bbc549c2b8e94f0f0fa0d9bb48

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    21cf7216c035ba3b5905c79f61753ae4

    SHA1

    ffaf069fee0706614c19d5743bbe41715a45e21b

    SHA256

    f5dc54cc463bbac6e98a62e804d18b55d04ff571a12d7efa27aebdaeeb001477

    SHA512

    2a72b22b8a6d5bb00216463ede2d4a26704dc91a2deba057cbd39968098cd5aadf0a774692901c1f06cc22938c022ef7f09f53f1bf8898a57c7ca174e0c1a8f3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    874042ab79e45d0eb57bfd3b698ff5ab

    SHA1

    58944069f315a083db74b44aebaaf82a25756f2d

    SHA256

    f4c8668e61627448340fb61d8753edbb49b2570067344e19168103abe4676dfb

    SHA512

    557b0064a43db0be1cd77e2907ae9a225d4ae92241f44c1d9080134aa1ce40f544c8aa1f11b199ed2c6947d43ee2f72275c30e054f28b91e734e20204a251ed6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    038b1ae7468e94603080ce2f1a51bad3

    SHA1

    ca72a32b6e2a51ed3c5a88017f41016a829cce60

    SHA256

    2fc4f5e229db33a08d3a9318750a5eabac59f367b99670bc769b72184879212c

    SHA512

    2f03facae686a525000d0c0c0d500c1eebffcc7e669e592b39b975ed22a9752f5b10659d1bfab55c9914453fcedbdd07c71ff6174fdb1ef1904c90678242ebb8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e276b5bb616050fe74d00c2f224b0957

    SHA1

    f7bd636239256a57a767ace6a8d45e8f95fa5f69

    SHA256

    8a9d7f85c50ff0b9a83f2a231f22d1d75abcbe8a63a39de6c7d08cb32af4ea07

    SHA512

    8e42d8f2a5651450a7350637b1e626670bf0cb7c2091ec394ee5d8144cf7b5ebc8d651ba44937bcc358d8779b243675e3bfef061639d742dbbb2f94532587256

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab45AB.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar4E36.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Windows\SysWOW64\wincheck071204.dll
    Filesize

    26KB

    MD5

    43e732a7c10d90e3f6fbd9f044328243

    SHA1

    1fa4637d03961d8e0826db95621e0b7e3ed4da46

    SHA256

    a8110f6a8fdc87c0194fce073aa35e70be5eaf9e5e68a55892e7b186bb11aa8d

    SHA512

    c6393818328ca372247b5a8e2624a89a77006b76321bb09b4129443ddd5ec17ab4184d1d64b9fcb489739f648a5582e78a60ee1a1cb404946bff917eccfcc5d9

    Download Submit

  • C:\Windows\SysWOW64\wincheck071204.exe
    Filesize

    27KB

    MD5

    093e57286e10c4e666db46cd80e83c20

    SHA1

    f9eceb549e7c6f3609da0f354b65c9b5eb68d0dc

    SHA256

    a2e97424599065a0b2f1c25f3881d0f42ba7abd4750ab6b682fb524a3834eaec

    SHA512

    ca362631cf58b3f0ee082a67c57c6097aca4a1e8e2f4039b1fcf60202a1429086516ed2797b4e5a56c7d816ef4ef23939ca14d114fbf9dcefe581f87be64d0c2

    Download Submit

  • C:\Windows\checkcj.ini
    Filesize

    140B

    MD5

    505a8baf20d70f2264f437da46b90407

    SHA1

    b833a22f5f64c85e25fe3079268cb6bc3da671bc

    SHA256

    0a477c771b3aa9da7926a9904279de04ba727b44e5e788687e3ebe5c751b341e

    SHA512

    4fdb8b7050f82215383cbc77c5339cd81ffc470af64fdeda2e686a9be285d5084ccdf77477249c9ae5fbd54a3ccfc98bc57535d18f3f0192465ec5387af3c025

    Download Submit

  • C:\Windows\checkcj.ini
    Filesize

    141B

    MD5

    5c02dda9158ab4f4591ecbaaf01fe03a

    SHA1

    e0dabe014997b6efb82dab37562247e8a4f9360b

    SHA256

    60f20e446c263cde265c4d78858daaf31fd61ccab7ea11693592cd7a0bc4afeb

    SHA512

    c04ef5bb2ddc9c177e8337fe5a3199635bfd3c9ac66e2215e7cc261edf482d5db0bea0dee820e65b310b8bad9b0f16a5e01858a47250c21701c2daf3d8709a38

    Download Submit

  • C:\jkDelme.bat
    Filesize

    141B

    MD5

    9671fc8178ba803288c8253af229670e

    SHA1

    9baf08b1bf5428652f260a8f640ffb16b3dbb565

    SHA256

    e122f40c8b024e7610f0ee34feceea8285165a642be7684447b0effdd0edaf0b

    SHA512

    7d32622b48f5d35ed5c0511aaafb6b45f8ed592de53017987a5d5f5fad4b08fd8b39f94fad51171b79b3a868fd953491c8eeaf4c829d4d83708998da7eaef111

    Download Submit

  • C:\jkDelme.bat
    Filesize

    205B

    MD5

    b9685d9b72dfcb98504d42d9cb71c751

    SHA1

    c63628390425622a422be9a1d3e58dbf02fb4389

    SHA256

    2aedf9922c0ca7fd2692ed1fc30d3ee6b8ea295ff84744ee8d88d668c5853b48

    SHA512

    2f399b7e6a0c52bbd19cbf9fc051a73063536f962fc74273597bed2bd76884634a79aa11fd34471a5de133f9794faa94e7544ce84d286012ba2ea29ab64d1c02

    Download Submit

  • C:\mycjjk.bat
    Filesize

    52B

    MD5

    7613c54d05351d0110cab1e8f50e00d3

    SHA1

    e206b93cce28ec853f13152199064a0ef87d375b

    SHA256

    3951680106e4f5df715cd90f2911f66b6bac82fea2de68e6074d541b6310652b

    SHA512

    3015531529cd8989cf94cfc940471ce221d6a65494cb442f45e36dbd553326f412397db64fbb2abb54acf681662572b82cb99c909dc7a4d5083d95883a0e25e0

    Download Submit

  • memory/2792-38-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2792-64-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2792-30-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2792-24-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download