Overview

overview

8

Static

static

3

7bd5aa00c2...b2.exe

windows7-x64

8

7bd5aa00c2...b2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-03-2024 23:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe

  • Size

    137KB

  • MD5

    65d64ee3cf2ade19767c7b4a43002b28

  • SHA1

    788a134efcef34397677caee41d5980733699195

  • SHA256

    7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2

  • SHA512

    0aac95a3b29771b721f173e4009d03eb4fec20946f2ad80ea7a9b5dd7bfe3874545ee5b82d1bd4ea1371978a74e1da797e60d18c388dd9b0620890f4040cc9d9

  • SSDEEP

    3072:b1i/NU8bOMYcYYcmy5d048g3nan3vx9kGSYng7+s5YmMOMYcYY51i/NU81:5i/NjO5x0Xg+UGSYnuy3Oai/Nd

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe
    "C:\Users\Admin\AppData\Local\Temp\7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /im KSafeTray.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
    • C:\WINDOWS\sys.exe
      "C:\WINDOWS\sys.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /im KSafeTray.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1152
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2228
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:704
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1792
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1840
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:2628
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1996
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1332
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\sys.exe"
        3⤵
          PID:1732
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h "C:\WINDOWS\sys.exe"
            4⤵
            • Drops file in Windows directory
            • Views/modifies file attributes
            PID:1780
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c attrib +h "c:\sys.exe"
          3⤵
            PID:2368
            • C:\Windows\SysWOW64\attrib.exe
              attrib +h "c:\sys.exe"
              4⤵
              • Views/modifies file attributes
              PID:604
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del 7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe
          2⤵
          • Deletes itself
          PID:2516

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        67KB

        MD5

        753df6889fd7410a2e9fe333da83a429

        SHA1

        3c425f16e8267186061dd48ac1c77c122962456e

        SHA256

        b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

        SHA512

        9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        475ae480caa07c14c6ac19c3069acb5a

        SHA1

        e8c54eae0f509c40f545fb01fe733ff67e70b7d4

        SHA256

        adfc846f7325e3030bd49ae8194b0ce964b805f086f15167f9f2d24a11180bc0

        SHA512

        8a32647504c48dad90183e3ee290bca36055a7354ca7c3311fc0c75c368eb5707a6b0bd076285fe6f168f1eea9281b1c7e3c434b3af2f81e322db469b33d5c71

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        1570bba879fec179cebaf6593c8f6371

        SHA1

        a74a82572cfc8684d932b155c6a23d1dff38429d

        SHA256

        0f5d61c3bd7a2364a9d598b341e071793ccb5e8a97bfae05bd8028926753d385

        SHA512

        d10481af34e402c66084ce914ca6311a88e28a1ddb9f33f1c436f2e28242913404567e7fb877dc2204c30d75eff7b0d481556d99cc791f6d711dbd12e3126e7f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        2e4d68f07dbc5d44a0121cdd28a2cc97

        SHA1

        b105b4c6c018179087c601c11ee70510837e358c

        SHA256

        841c7b18e1b56c25495627fb848aff48bb4c6d226575eb02db76b6e557a70f74

        SHA512

        0521c9a44723946a7577a3c3bdf96e215e2eb5272348d3b29589c6579a2d096a3b7293c97cc00870a31e6152c5f021384ad228bcb43174e631d6481d784b58f2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        3f0b19e4c0714ebb9248a4c0ac0fa9af

        SHA1

        2511537bbf004f937c68efcb731b48ee85ef3b68

        SHA256

        e535adb072be7e044402dcfc10022e64956dc07b51ee8b738d0a41c433b22fba

        SHA512

        8e462f9f5baacccd76f518a8b15a20505b65f2799d14ee685c4cf96bccb94e38c68b8040efcae442460069348b2b2978868d08d00cb60e5c67321e99161542ab

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        a227b483a2df1b1e5904e3c5b6305d93

        SHA1

        08d1b8efe888ad2e53930c4c447f1224383e2207

        SHA256

        e5fe760a2510de9713d13b8109f54d630df1e27b6555179d1535128320d6d293

        SHA512

        881db58750013682b6aa3c99b224e16593743fbe8631eef1151c01cfab244dcd7f5c5a28a2174e34e5d6559b2498e1f8028dae3c265edfa305f35476486a78a1

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        b40233dbbe2c038976ec86b4945083ac

        SHA1

        f9dee15979f2fc7a2eb2e88d134bb56fcf45884b

        SHA256

        8f2ce3dbb9dc57f90cb9b671c32f7003f4dc04aedadfe15ba3273039d7293fa7

        SHA512

        a66789f1dc9744c7abb2fb153b274bfadb19ca555fafce9b28b55f57af649b3341da0276f411473d8898f916718673fc4f5332adb9db467c79c7d3b6dd37a11f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        c82b761ee52da30f0902c90c1cf82bc6

        SHA1

        97ffe1a98a22467817d8dc055a9d765c59a7fdcf

        SHA256

        878759cbee4e0f3bec41344283b2330a595af13bcc1f69a2a9236950c52375e8

        SHA512

        d391d065ef2f21390ca6f7a0f7f8a36c34553e0faa37bbc22c9d28fce8e7b8c04dc36529afedc948630605cf8ef38c7dbb6314af3097e7e46a01184afdf88fcd

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        ba148e72d93ca5e9880e29cd337aa07d

        SHA1

        bbf2b0b7dd91d7c5c5378cd48b3517670f4036b1

        SHA256

        9a30b9a5df9f7ea015d4585b9f10a1a4d69e9fe21bc9ba7cebdea74b292b1fd5

        SHA512

        ee2803b72ce6445d4e2dd39a13c068dea81e73942f95f474bd7b18e8d783b3d106ca4fdddf4b3d818f47a6788ab7bd31c5deb6ba9b9fcf083e19ea5557d67ebd

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        418f4842262d6e90002ba59e3f0c2fa0

        SHA1

        6bc0ff187b57d66302a9ea7f781a95d1e4c1793d

        SHA256

        789ba839ba70e012336a3fa420a631264889f96cddf248cf02bf749bd184f77a

        SHA512

        611f3c4dc1df718e7623b4cbaf4c62a4add6b82e2455689e7c17143ce96fe5e7cee5cfa15fe09bb7591c825797d1ce15abbf0fe4492128bcd84d42a12abe2d07

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabA749.tmp
        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarA915.tmp
        Filesize

        175KB

        MD5

        dd73cead4b93366cf3465c8cd32e2796

        SHA1

        74546226dfe9ceb8184651e920d1dbfb432b314e

        SHA256

        a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

        SHA512

        ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

        Download Submit

      • C:\Windows\sys.exe
        Filesize

        137KB

        MD5

        9fbe6b717261552fbaf47f49388b3697

        SHA1

        3c94326ff7e81fd76849892ce0e2c8ca7db1e182

        SHA256

        d5d39915785eafdf46cd512f2ee361cda712b079064c1c096fa49f281e8200f8

        SHA512

        0d52537b4faa171b6e8d5f4558432075356026ddaed3a7ef95ecc3421c80e0977c7e6ba5207f59823599087db23e39fa23c2c52db3843aeaa338ea10a908c21e

        Download Submit

      • \??\c:\sys.exe
        Filesize

        137KB

        MD5

        8a101f4798871eed8f1d926f20fdb854

        SHA1

        504f97d6c496adce34d24a4ffb1c4db8bab6ba0f

        SHA256

        8fd2319ecc837e42d2440831849e7f68935b68767bfa73aa52d9058c19508b3f

        SHA512

        72ee1ad729eb1ed24e273a8fb535db775d49011772768cfb460e4f1fb9f560383b6483f154258e04e0097c9dc97fb6374de346df47c6664e1e63fb326a254091

        Download Submit