Analysis

  • max time kernel
    121s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 04:05

General

  • Target

    a10e94d8588f4198a1c710fa4b4179f33276779867174bd1c26b41d77326a402.exe

  • Size

    10.0MB

  • MD5

    03fed00b3336e975f1b78c6f892611bf

  • SHA1

    54f47c13621337639817d5cb94bee5427c10f541

  • SHA256

    a10e94d8588f4198a1c710fa4b4179f33276779867174bd1c26b41d77326a402

  • SHA512

    96c3ccb18a6fca09e5c75bd6bab87c753fccd87823fbcb929244e8f3ed753501befb5aa803a2a80edec1aa7baf72968ccfd0445463a566233f4b74e0bc74f4c9

  • SSDEEP

    196608:idhC9f7gJUDVPwKk98PuJdA+NVRDPImrRz2k/IRrhB19zLckEVoQs:idamwV4pfq+NVmmrRSk/er19zLc3oQs

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks for any installed AV software in registry 1 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a10e94d8588f4198a1c710fa4b4179f33276779867174bd1c26b41d77326a402.exe
    "C:\Users\Admin\AppData\Local\Temp\a10e94d8588f4198a1c710fa4b4179f33276779867174bd1c26b41d77326a402.exe"
    1⤵
    • Checks for any installed AV software in registry
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://down.360safe.com/setupbeta.exe
      2⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    61797436979b130a6dbb823ba8d26b91

    SHA1

    60fb9f88452bcd43335386d61a64a514cf29efb5

    SHA256

    e134303383ece72a3f58ea45a798ef7a933645e471ea5055969231d372b92b65

    SHA512

    a49d8dfc660e1bc3e6786a4334a9c87e7ccc7ee3e7b3c011311d56e644e923dabf1b7f2b568db9bb183b2ea676e60d6347b57094de957cc79e1df74d11e6727a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    0dbf29908268a2ae702f003ecc8f63cf

    SHA1

    343376a28ac7d74cb58418c9bbfcb9affe2e9d18

    SHA256

    3664ba52cd1c34227b9d795943d82f55e0b6cb37d9c7ad3bb92124db63ad5089

    SHA512

    b77f0d61f3a6e722f3478357a1d1d5118ad5571cb5cca4776383efdc1d8a01cbd2d564ea0d73ff9005ddc14297b45bd965c5a68d6b38a3cbc5c7a35920edfc60

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    18fe18f6e5dedbfc0276a6e8e15ab725

    SHA1

    79cec2e33a5775e2bc4cfa2b555c4de187e7b693

    SHA256

    d395bd1e5082fa57d27fc532b784708a387b817f1a43886b91f27acea710392d

    SHA512

    dc122550e3046109ed3a0a49b41c9a536bc550c8d1a6f85cded30861685950f1d59685e19376b90778649b45e0b1763d1a4b7afc4d884fa6f30c9b2a2ccd3877

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    482f894036fcc313c15eb9f726fdefb2

    SHA1

    f875d8afd708d3c044cba4da9a27547983f99bb0

    SHA256

    cbe949b775ba3104abb260ff7854d7329388d7159013963aa1b33a8a7c73e9b7

    SHA512

    769bf526eca5d31f748a315d456cb053163ad4f4c7953b83e72686f967cff7afcca1c14edcf50c31d19abed4aefcc76903bbad64fdda1b854073bcd3d138bbad

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    0dcba413dafb877558e64c962c132db3

    SHA1

    312e7180f1ddc319b114abf307571caedde98f5c

    SHA256

    15ab03726fde6d9ffc37296be70a8e014b0ff8bf5f84f671a21d88e6c692f3e1

    SHA512

    d85c2402e490df622d4e77a31d9ea8615eadde8f2b82aa3dfa13cbfcc63e4f11c5bdeb3881a5974342e5c535b9f2456731705db926c829a73a85cc64e18011d9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    1a09d407684aa8ff6ed99c3b18d4171b

    SHA1

    6d3902106f515b7a16ccb227623fdf43642af699

    SHA256

    d86b8414ca5c039dcbc2bc43b4ff7c7bd24729fa4dcc7a8eebb1f16a469efc2d

    SHA512

    1b2206a19a7f75a8e56bf2a04c0d18b864c9acfacf5c4fee857e75388cfbebe07460c1d4eea5c9fabb7d451ebbf0ec70b9fc55890292fc1b17cbe9782cc18ffd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    51415ebbd0439fb568e68c35f332a3f1

    SHA1

    545f2b563350ca0e2627e9a087b46905adf458c9

    SHA256

    b1d882bde0985cb26e1ccc093c7480cc7e46199da7fc32a4ebb28a3b2e623a7b

    SHA512

    70fe33ef0aa29b8764339003132c1396a3730741f54e1f185a47376cb5d552dcd9b92d653a6c4d17dd07e4a288b291369d504cdb215f95a952ae164a541873f3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    b0b8eff0eb927009a68bb2893f6a6dc6

    SHA1

    fd15b1ef56cf96b484aff205454d779b2bfac895

    SHA256

    c00fb4feaccccef4d734197b0cdf914961d3598d4e6195066ac676858d4ef460

    SHA512

    395fafeb6d906bcf04a1a4976e08143faeb4767682030b9c9728846acfb86fb4b1d4218a7361c815cb27186a8820e5bbbe0aca3f6b85c6c6830595606845b1e4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    cdf4749392d6fdeae30ea5855b9d7ece

    SHA1

    0e3cfa857e8590728d940cf8120c38b807457b07

    SHA256

    fb7f19c99445e31d0c17e1916f3d05eaf935cc3beee729bc49894529438ece22

    SHA512

    4b1fa32c954c293e349613751de4b008d9d32132a37e54cf523ca03313a4c125fbea4954e7198040eba491cdfe5fa88e84d9a58402e2d3e4e557be915cc412a8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    280ef08b11c3519c2161a3233ba83082

    SHA1

    7dcbce5cb36c15c7674a6a27d497c0f6674242c2

    SHA256

    a578b401037202e6849847d62843b3f350339a21dbed95c0bed252465d790ea3

    SHA512

    4aecb6455a817679ffa5df67ceb627751a2402f5116dda8ba50f1459b8f0b6826327e977e4c13f797f383fa04198f613f650b4019c1527a6547e6689face982b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    791e05fa9645e07eaaae6e05699bdd74

    SHA1

    24fe8d61aed91a125856c5b111abc07b494165d6

    SHA256

    98cc280d7b76f2492276cac69a26866dff018523451ba2a9ea512bdb7003b33c

    SHA512

    023609803f308d082c7a340f2f91db94651ae3d138bda75ccbf5807a88f68fa3f1417df3b38cd6e3f355452d55ffc9cc59e80b62bf00fe36a61e51adada9779f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    c351955b79ae9fead0045b0ebeb721fd

    SHA1

    46eb5a6a0a6621b1dc7d96c2643d6ee5da428341

    SHA256

    cf8c402231f1c17e63deb29a231154ce85880e7af9991a3f48cd5494d314bbd1

    SHA512

    9bbb67ab670d279bfea71e35dabea7e5c2778c8ef4cfa826cb215e4dc1d9983351259c3c435c4cb3ca786709d78438c9c4a6757539af4b99b4b4aa20e68f7707

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    3699c5016ccc5f4ffb585d9e866aa16e

    SHA1

    af4c64b1c3ed9befcea2f585551488a00637b369

    SHA256

    e71c400c5b04632aefc6328905e00609d4937962a345b1a6f9adc80f6d726a48

    SHA512

    a2e75cd2e847259c79503edb2067402cfba37f1974d7d35c5dede9a03914557f6a465f24d1e49e91d9dfe7aa1d40bbc1934fef5416eb053ba38f8b5ab513326a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    7851e28e04408dc9f487af1a692acaae

    SHA1

    6f46234886005ef6375443f4b607a13a5e401e0c

    SHA256

    e8a51ad4835277d2bbdde9b56378c5cb6eaf2297a18df2f906a9fec2b167a960

    SHA512

    0d4471d26a42a63f1f00bff8de27ce65e0d6c722aec8747a538fb3b380509f70f02f869823d724c7ef533f7eb0c45c8a1eacd978cf106d211b504bd149f88033

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    66fdaa490150a7fa6ad256d685b6ca4a

    SHA1

    2f1a45618fae0e94c162a33b686442c0d4f40b9b

    SHA256

    653ed45d20249006257b797779403077160c96646ff7ca3cb8f029aa76973761

    SHA512

    769a929fd0b11ef92a2ed4dcf97b9f08d2f3bdbfb9ff93a74f0fc1ab24c1478d5318fe0dba05e22d1bd13f8137fb21ba0b25d9d64246b74a884934393147c211

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    46cab206aa67d634246d2bac6ab8b044

    SHA1

    b355cce42ffbab8003f46c033488e8898c79a508

    SHA256

    0c8173ca42db7f71c0e6689c17895a2f3694e67f20c91761fe413f366b996691

    SHA512

    bf1017fa95ab79181acbfb991f3dec314cbe1ad84d7d432850640b021e6537eb3688fa49c04ddbc5d87130dfe2dd16c06e7aff9fe3cb04ae0a88b8c238bbea20

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    e2a0df0b7428b34be55a0ced0eb8976e

    SHA1

    dd22084a68d1471f99ad0542820a93b1b45c1181

    SHA256

    276368021fda3593c7228fc73f9f2faa17175d27fd4633216991d208e975a14f

    SHA512

    7ac62e663e89eee36e6f7ea6463e1f4eddfb1bb8bcc4b65565f4410e2d77c3e32a19bb1afba10f57b97e563b102ceba61c61cff5eead040cdc02d6d38a7dc980

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    a33346ab95c07a4f95a4e4d4f68b9fe7

    SHA1

    eccd29f41365360fc5fd7862eadf793cf4a4f79e

    SHA256

    bab3ad6a96cbfa57c07b2306a01a8280f6bb4ade57ac13e685e4c7368a1ee3f6

    SHA512

    e142ca580265972367f95abb04f6d9bfa041f1eaa97a6da71821135275ac13972f6b2fa38723bd50eafc04f1fa395cb13946c66a233e44f0e67bcca66ad624ce

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    85fd66010972b9a074b1ac204f726ba8

    SHA1

    bc45cbf7d3def5fc7a1ca7c669e6b78fa89ebdee

    SHA256

    c32ab61ec84703d7559284b1f8a505d611fa4ee45be74903b4350def8f932ca6

    SHA512

    286117bd183349f31a88289b9ecb64d4947f80987d84d45795a45805ec68dca80ab2e000eccb6795b43b4eaedebf780ae3a84e2bbfd636b6408aedfa280539d5

  • C:\Users\Admin\AppData\Local\Temp\CabBE8F.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarBF40.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/1620-0-0x00000000033F0000-0x00000000033F1000-memory.dmp

    Filesize

    4KB