Overview

overview

7

Static

static

3

74271e0165...08.exe

windows7-x64

7

74271e0165...08.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2024, 23:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74271e01650816e7478bfb47e3344729b4fbb05d3e1ca096df74fcab14a50808.exe

  • Size

    683KB

  • MD5

    a564887ce58df5961b28d40a4193a6e2

  • SHA1

    a4c28aca82c84f2626725cf21dc8a3bc6b4ab5a1

  • SHA256

    74271e01650816e7478bfb47e3344729b4fbb05d3e1ca096df74fcab14a50808

  • SHA512

    8561e299e0839d86c6f2160edd1c1b875bd6d2c207fa99a68b8697d03195b11b1d05bd9b6f2ad2d52bd26ec385452e2cefee607422af283a13da9dda52a5c2f4

  • SSDEEP

    12288:wSTURpWedRKW2yGaLiFxAMaxfkeGPpib4eC3sR/9ZEw:wST8pWwFrGaOFxLlRPpiRCY9ZEw

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74271e01650816e7478bfb47e3344729b4fbb05d3e1ca096df74fcab14a50808.exe
    "C:\Users\Admin\AppData\Local\Temp\74271e01650816e7478bfb47e3344729b4fbb05d3e1ca096df74fcab14a50808.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\program files (x86)\internet explorer\wmpscfgs.exe
      "C:\program files (x86)\internet explorer\wmpscfgs.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4228
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4788
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3316
      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4868
    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4204
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:4332
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2152
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:17414 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2332
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:17422 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2284

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      Filesize

      695KB

      MD5

      c16cde790c5ef6f51bc1fed25cf5ccac

      SHA1

      b798334f702b66e9fe4594bd5382b6900918fe72

      SHA256

      e79c7a9c9531f48cb23d073205b36881995a26f82273d822e2e46985abbbb851

      SHA512

      cc59b69b992b485f3191bb7553b0b5702bc154e9a46b936f831892234dab330a1ec417a713b22f2e8f1db26786930ee6ef1eb35fd67ab0e2b0f13131c8be1be8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SMQKEDQF\bGxINvQCJ[1].js
      Filesize

      32KB

      MD5

      4c0f57c52b87f02f9d2ed1ae3859243a

      SHA1

      8942e2891e8e847934a601d561f4683d169c3b88

      SHA256

      999eda15b8baaf116b1df2c02cca93e903773d939229ea3bf6a8a981815136e5

      SHA512

      2e471e9bf4d2cc8f81f1ffe0e969a54d5d4e1776507ba82a9e9a138b4bc249c0a7875e31c3fa22faf0546841bafe436038cb12f04b3490a13babef99b0c82b5d

      Download Submit

    • \??\c:\program files (x86)\adobe\acrotray .exe
      Filesize

      697KB

      MD5

      0ce31c70397b09da9250f2255ad00822

      SHA1

      22a79ff9878a5ba5961d98c16732e08fd1dd59ef

      SHA256

      ac6b3698e590a07d873967fc3d234b1d121e72f2cb66e939bfd8ef4610c356d1

      SHA512

      ec37b44dbe76747d6d03529b220fb3e83f03184d3c470097fc44c427ba6c80a8ef15a08702c62a97b67cc66f6e0607b4b03f854f344e0af66d24df86c8607ea7

      Download Submit

    • memory/2100-0-0x0000000010000000-0x0000000010010000-memory.dmp

      Filesize

      64KB

      Download