Overview

overview

8

Static

static

7

bbb2811b32...0N.exe

windows7-x64

8

bbb2811b32...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    71s
  • max time network
    72s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/08/2024, 16:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bbb2811b32a9624bf4dc55f19e8eb4a0N.exe

  • Size

    232KB

  • MD5

    bbb2811b32a9624bf4dc55f19e8eb4a0

  • SHA1

    0f06476c8bd62f75b84f96c811cfb51a6c75f29a

  • SHA256

    18259678ef431a836b00a935c650ab8e46d5e2353270a8e39e3d6e40f807d437

  • SHA512

    fe8bfb22d085c58a43b651febde3b65751591d7a0a4970fbfd77899128721799c74b053c3f69c08137061569e5c70c79928bd315a52ac7c004aafc8ef8bb1d14

  • SSDEEP

    3072:w1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:ei/NjO5xbg/CSUFLTwMjs6oi/N+O7

Score
8/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbb2811b32a9624bf4dc55f19e8eb4a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bbb2811b32a9624bf4dc55f19e8eb4a0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:872
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2836
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2904
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:772
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1564
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2664

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          6fa0ff4df5a99142c05a19257fafe866

          SHA1

          f062490d5a8d08c0275b46c94d8f93edf5d5b1d3

          SHA256

          c8698f31c270dc19e521d9abc0553610b5eafb3ff36edccd8cfb3d1f6b049201

          SHA512

          82a5a4d79fc850db5cd22e242f5a1b94eaa157e9c6d0a7850a9080b71cd66b1bb7e2f360b47796385c70c5ef0936abfdc02f15843ecc1acfedffb750f021b586

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          e4a1c2abfaf31defe6c378e0ac949cfc

          SHA1

          045927364007e259dfd927883c51f326c1aa651a

          SHA256

          8c0ebab60dba0a2a0a6694d21dfb1a4c285f690de6ac2e459cece377494fe040

          SHA512

          88567f2a3e3407c429269569ea8fac21edff3dcecd677bc3efcc565164f96730d0c57d33a6cc0c99a1389a21a871456a7623b1331d0811a68b19d1a87e9a82e9

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          9da28e68d4585da0763b710768aea72a

          SHA1

          82cb419a41dca25c7ebef58cd9ea8d237c0b8f8e

          SHA256

          69bad7d082c35c13f16ad9bc4beb4644a1f0755d18d7c71d338b5b0df1a37002

          SHA512

          e23e9beda4e9b25033e0f3bf9555353aa3971dd7e6b79812b53da5eab1063315f708b648714f12f2eef3a86ce4713d59884b9b763186b6d87feabe1457b03e27

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          7997cff41857f3d91b69f2f0537c1664

          SHA1

          2115573e0f71fc3f0e897b302a1d4a6696f2801b

          SHA256

          7f8d4e0074c336cae29889660b865cc82c5fb21f8625c48f792b6a06ad3526bf

          SHA512

          0bc5990723f8c007bcb53583422b842a4038087803c8b78803a323a176f1ddcac2bfce196ced73ec5f86c5b961f818d75e0d551f2a0bfd05daa220764c33d8e8

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          009192cbee5bdc257ff3959153d9acdc

          SHA1

          41189b3b9647ed19aa13393af85ddad9d4d177e7

          SHA256

          f2fd0337dfaa28ad5bfae89a8f8a4ab33e23e683c1e1b79ce51e845967f38715

          SHA512

          96e4c4255a5a18f06e16cfd345e29ede83f72b363132add6f9e95a233dffbe290fe62c50c09068fb916f60cb73f152942c9c83a66ae421974fc5b097d1292f6d

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          9c7565c6cda9d4bad321789584843d97

          SHA1

          106bfca9f6fd79bd041760cea7885a2e67bb08e8

          SHA256

          6a0da50f927fbbeea2944a02e89695480b3bfd501bff5167b8ad7a5a37ba1df5

          SHA512

          c98ec98ff1140e4031a073cfad85041f1375266d486ac777ef60501ffab44e514364afe4a19e9a06d6f67f9f589f0b3b034fbd66ad5315dc7b796c7f5f1b618e

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          f45d9c1107e5af0d78df779986384340

          SHA1

          d02c6fc0adf6741cd61c61757d53732d9685d555

          SHA256

          ab1832715b05b79ac430d3879c72cdcec00a9b6da89a77cef0e14586904a7ad0

          SHA512

          b52f7477df0de81b7d5cce2aee179eda4e9f7ce0dc9763805fb2f3def39652054f571cebe291f68b3876130eef3e396fb75053fc588633838e5b71c6405600ca

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          141b9fcebe18c820930e1d6178499031

          SHA1

          4726161387904f4fc6926de2d4ef654377f6f637

          SHA256

          9fe0db8f06355c86307ee017d9b43d11b74ba0c3a29c37db11f5fda12a4243a6

          SHA512

          4c62d9fcedbee8f9adf9951d37d88cef4d78b23fdb4f3a5a8a57d8f7ed5e3d5b8b858926518bc5c84b307a9b0ca0776c1d5c7fa5ada138e28c5ae7d3a0afe3c3

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          fe84936bc9b46e761ffd2cb5ac2be9c7

          SHA1

          c7f376e40fdf2a90405fa2d454c79f22da637d7c

          SHA256

          4e439721ef4ebfb73960a0831f13d7921e482889f59708385feb19f835bcf532

          SHA512

          0b1e8d5e0069b01f8e6e093ac69e08a74c7f86e819881953c2abcde9f4d06d65fc423c744f51cafd1dae975749a8eecc20f1d812d7c6feef4209ac2a18890084

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          d3ee69e43287bf79608da962f503f342

          SHA1

          adda5e8d9fa56d5bb801dd3dd78c6b379c7ddb07

          SHA256

          a2991a052c5e44d8375bc88a34e2b80de48807bc4453705194748254f4b4429d

          SHA512

          0cf41465dbc744dd29c49e6e66d522044d694d290c516bb0f67d68fd43dc10703a724b62b7662c4f0754de42cbc1f9e5fea5d73ebb26d717217dd1c1cbb42fbf

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          922a62f5e7654ba420b457360b5a2d84

          SHA1

          ab8f4530fe584e48830e3668c4431ca1f5f90a65

          SHA256

          994249e18e9dfe49d0f6eb43eb08f6653d7aa162bdef9f09a1e6b33ede398912

          SHA512

          1000c823bc70d34ec7a1c23c4d4bcc39827828c67ed459a5a8c6923b1e677ed49a389e19d1039dd9023222dd23ab0b85ebc1d12769a413fc413c1098243a3e09

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          c7a63b20e79effa9e099004339a2cecc

          SHA1

          0dfd49e803a648f444a41fff1d7aaa683e6d92de

          SHA256

          06d675a71e7232d1707e842a384e55e36eeb00e6a29f9edcc1e74dcd3fd243ac

          SHA512

          161f9330f20aec4361d3ae6bbc8abeaad13f2fae3fc16986171494565e48a667d924b38b0adee4c4dac7899e73942d85c39cf80ff35ccd5646e1352dc9174515

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          d107df7a6713a103509da6244abf96f8

          SHA1

          2f41fee881a89f2f1bbae2a13a0b396b40af35e9

          SHA256

          b7ced9f0496e54bc25803eae5e8bb91ad859bc165b38db7b1099d328ebdc7b04

          SHA512

          13bf9c9e638a124c6c9b035771f181e805a86aa1d0f4889e7fb5d6e0afe01be73f1e512455f510644bf11716b8be580705934be56ee6036c322c2f9dc269962a

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          9368c4c779bf728864b0a337250d0b50

          SHA1

          348fd1b6f28250331e3baeeee06d290317e03c31

          SHA256

          2eff3f642582981ca6174c468adfdf71593aa8afa36d7148a3a5183045b99544

          SHA512

          0170d17d5c0051ef6bb748ff5feb18580a285892b649a278e0b6460682e6979320e484fa9c02ae99b721bad5a8c85bae9a009d906df54ddd46094aaff5337349

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          041327ba20b2338a00f4e3544c546583

          SHA1

          db6d34243f2d0a28fe072af2eaf9798d1ef2ed21

          SHA256

          ce646ce0fca21221bc5cf2fbf6de07e3e3a3de749908a5881f8cc54b23f5381c

          SHA512

          7bb4a5b33d79f1783469dcb06cd11b1633cd3fedbf89d971e9f1e6fae3f9fc71a1ce6de2663d72417ae6206af49badd7128b03a54ff0772fbf5437e600965699

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          82a7d562a59aeb9497853b6d761fbaea

          SHA1

          7c2387e3d9e1615d9d32872ff92473cfbd39d6c4

          SHA256

          607c030beee120ea991953246b38b3d69869ab5bd68640e626958f570930fe0c

          SHA512

          5a190ac85ca91ead55db614fda3e2ca1b0678f970f3927f24ed0937e620be5d67ff754e19caab4cfc3ad1db8e11225fcd8f77b8b4892deee1305b54a7184e359

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          e72cee991b1d65f4d9ede6cbc1f43988

          SHA1

          a217268af629a3f319ef770d4cd5408ba037c36b

          SHA256

          b4ffd3cfbc13b3987085df7ae634d41a26c36ba0190eb51692330135e6725e66

          SHA512

          1aaed33ef783cb3463a010510130d800b205106d5871a9901690b09f98db3fa8892230d1942b7028f6f4c098169ad9c40c9b36145916555b5891a3ccff51cc75

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CabE5BE.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TarE67E.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\WINDOWS\windows.exe
          Filesize

          232KB

          MD5

          ae24fc52a6ab6fdbd547cf0af8cc66a5

          SHA1

          04471f3984af3e703ff7aaa75f9286bb523791d9

          SHA256

          53818f3cd4f16717364d9a5d77a9c62cc1313153c69c6e210f2c9bfd73992ded

          SHA512

          432a30028e5a84ab98b224f02b4d951d8f24585597a50690297212be704e191dbc494dad2dc025c928e8ab454b4f5e1937cd01a0d3ba1419844179f98857e344

          Download Submit

        • C:\system.exe
          Filesize

          232KB

          MD5

          1781819f40ef47f72eb7d76b14f880fb

          SHA1

          da3f56010825b554f3e3b15837854533f67b29ff

          SHA256

          7f45268019ec671a536270ab7129d94d84225333fd636b1c8e6cbe767b446187

          SHA512

          1c9c2cc09bafc517d9ac28dcb0d96da06c7a770cbc69edb4f9defb5519f024ed5a21e292c7c222d13b9cb5b6e40c88e425481fb5fe1e6d47e85860d7dfef612c

          Download Submit

        • memory/2368-0-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2368-444-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download