Overview

overview

9

Static

static

3

a9420ed285...65.exe

windows7-x64

9

a9420ed285...65.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2024, 23:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a9420ed28532014ee76241d5327face1334bc6b0709bc5fe92a14cf5e7e2a065.exe

  • Size

    426KB

  • MD5

    c83cfc6543628d983a5048685b251540

  • SHA1

    012d52e1795d7284876326585b316d58d43f9c12

  • SHA256

    a9420ed28532014ee76241d5327face1334bc6b0709bc5fe92a14cf5e7e2a065

  • SHA512

    716ef14b3c669e94067d16cf74ab48a9b818f744e4fba22bb33b12c9072c7dfee96a4a6a0dd8c05df4d4e54c25e68746791ebb9f72e1298bc74907395f0fb8e0

  • SSDEEP

    6144:x8AvJrkMF24NqmvkpW3otptcfOpkG4vy5xCoBkwxyQV3AV4iSe3/Bs1JvdvyIpkM:x8QrC96+Dt1kgJ7yQV3AV47JNyI+6L

Score
9/10
persistence

Malware Config

Signatures

  • Detects executables (downlaoders) containing URLs to raw contents of a paste 4 IoCs
  • Detects executables referencing many IR and analysis tools 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Program crash 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9420ed28532014ee76241d5327face1334bc6b0709bc5fe92a14cf5e7e2a065.exe
    "C:\Users\Admin\AppData\Local\Temp\a9420ed28532014ee76241d5327face1334bc6b0709bc5fe92a14cf5e7e2a065.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 356
      2⤵
      • Program crash
      PID:1392
    • C:\Users\Admin\AppData\Local\Temp\a9420ed28532014ee76241d5327face1334bc6b0709bc5fe92a14cf5e7e2a065.exe
      C:\Users\Admin\AppData\Local\Temp\a9420ed28532014ee76241d5327face1334bc6b0709bc5fe92a14cf5e7e2a065.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      • System policy modification
      PID:2372
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 332
        3⤵
        • Program crash
        PID:4820
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 668
        3⤵
        • Program crash
        PID:4072
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 800
        3⤵
        • Program crash
        PID:2088
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 844
        3⤵
        • Program crash
        PID:2536
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 960
        3⤵
        • Program crash
        PID:4316
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 816
        3⤵
        • Program crash
        PID:4320
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1072
        3⤵
        • Program crash
        PID:4396
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1252
        3⤵
        • Program crash
        PID:4268
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3240 -ip 3240
    1⤵
      PID:3712
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2372 -ip 2372
      1⤵
        PID:2192
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2372 -ip 2372
        1⤵
          PID:1752
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2372 -ip 2372
          1⤵
            PID:3012
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2372 -ip 2372
            1⤵
              PID:888
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2372 -ip 2372
              1⤵
                PID:1816
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2372 -ip 2372
                1⤵
                  PID:2956
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2372 -ip 2372
                  1⤵
                    PID:396
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2372 -ip 2372
                    1⤵
                      PID:4956
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3740
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Modifies registry class
                        PID:2344
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Modifies Installed Components in the registry
                      • Checks SCSI registry key(s)
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      PID:2484
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                      1⤵
                      • Suspicious behavior: AddClipboardFormatListener
                      PID:2480
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                      1⤵
                        PID:1104
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:2084
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                        1⤵
                          PID:4896
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of SetWindowsHookEx
                          PID:916
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of SetWindowsHookEx
                          PID:2400
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of SetWindowsHookEx
                          PID:1980
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of SetWindowsHookEx
                          PID:2160
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of SetWindowsHookEx
                          PID:4624
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of SetWindowsHookEx
                          PID:2772
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:2024

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\N3A1GXDL\microsoft.windows[1].xml
                                  Filesize

                                  97B

                                  MD5

                                  2a048584ff1532f817c94dc91dcd1288

                                  SHA1

                                  a8feaa50ff20598096757253f961ed62cc8e2569

                                  SHA256

                                  ac0e9ccd0c2a91247d80d72c35930928c1da245701ca832072bd977c61d3901a

                                  SHA512

                                  b6e50c342123202657e524ce15e02851da3b8573494e0ba98f7b70c6438fcbee100df4eac302d1dcbd3d3123bdf14a11d232c96d998c569431887317419c1d86

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\a9420ed28532014ee76241d5327face1334bc6b0709bc5fe92a14cf5e7e2a065.exe
                                  Filesize

                                  426KB

                                  MD5

                                  97ca7d604ae46dbc81dd676b852a0de8

                                  SHA1

                                  aaa88959d8a375769c58ca3315d7c3b4eeb9b564

                                  SHA256

                                  c88aa6a0a58bde892589e347736120dd03d016b7041b110074fba16944f36f22

                                  SHA512

                                  3e9329a52ede398b48c4fc961aaa17a8e9e1230eb0475ce31ce062192b8bd32e32d43541f13ab623be48d2daf7553673c7ab1a700738ac06b01aa3290b72703e

                                  Download Submit

                                • memory/916-42-0x000002C7A87D0000-0x000002C7A87F0000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/916-36-0x000002C7A8400000-0x000002C7A8420000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/916-38-0x000002C7A83C0000-0x000002C7A83E0000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/1980-84-0x0000026809640000-0x0000026809660000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/1980-86-0x0000026809A50000-0x0000026809A70000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/1980-82-0x0000026809680000-0x00000268096A0000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/2160-107-0x00000223678F0000-0x0000022367910000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/2160-105-0x00000223671E0000-0x0000022367200000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/2160-103-0x0000022367520000-0x0000022367540000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/2372-24-0x0000000000400000-0x000000000045A000-memory.dmp

                                  Filesize

                                  360KB

                                  Download

                                • memory/2372-16-0x0000000000400000-0x000000000045A000-memory.dmp

                                  Filesize

                                  360KB

                                  Download

                                • memory/2372-9-0x0000000000400000-0x000000000045A000-memory.dmp

                                  Filesize

                                  360KB

                                  Download

                                • memory/2372-8-0x0000000004DB0000-0x0000000004E22000-memory.dmp

                                  Filesize

                                  456KB

                                  Download

                                • memory/2372-25-0x0000000000400000-0x000000000045A000-memory.dmp

                                  Filesize

                                  360KB

                                  Download

                                • memory/2372-7-0x0000000000400000-0x0000000000472000-memory.dmp

                                  Filesize

                                  456KB

                                  Download

                                • memory/2400-57-0x0000028373290000-0x00000283732B0000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/2400-61-0x0000028373660000-0x0000028373680000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/2400-59-0x0000028373250000-0x0000028373270000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/2772-143-0x0000026496A20000-0x0000026496A40000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/2772-148-0x0000026496DE0000-0x0000026496E00000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/2772-145-0x00000264967D0000-0x00000264967F0000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/3240-6-0x0000000000400000-0x0000000000472000-memory.dmp

                                  Filesize

                                  456KB

                                  Download

                                • memory/3240-0-0x0000000000400000-0x0000000000472000-memory.dmp

                                  Filesize

                                  456KB

                                  Download

                                • memory/4624-125-0x000001FB86E20000-0x000001FB86E40000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/4624-123-0x000001FB86A20000-0x000001FB86A40000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/4624-121-0x000001FB86A60000-0x000001FB86A80000-memory.dmp

                                  Filesize

                                  128KB

                                  Download