Analysis
-
max time kernel
130s -
max time network
147s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 06:53
General
-
Target
รูปภาพที่ต้องลบ.exe
-
Size
24.4MB
-
MD5
60e8c8216af0a6c159364a3cfebc1f1b
-
SHA1
ffd81aa28975dfd4f8e09aa55863c569f6c37037
-
SHA256
12d14cc1f1d29e131b94659bd8830ce0afe855973f36648929f6bdc7dab4b87f
-
SHA512
8852553899c83a5d922ca78048b8a37f0a014501796044f1c826b68599365cde0f9046351bffe1f09d07707b2f5049c12dd0dc5a949da076160d7ef44562f403
Score
7/10
Malware Config
Signatures
-
Modifies Internet Explorer settings 1 TTPs 42 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Loads dropped DLL 37 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks whether UAC is enabled 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\รูปภาพที่ต้องลบ.exe"C:\Users\Admin\AppData\Local\Temp\รูปภาพที่ต้องลบ.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\รูปภาพที่ต้องลบ.exe"C:\Users\Admin\AppData\Local\Temp\รูปภาพที่ต้องลบ.exe"2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://pastebin.com/raw/K9DwMHWa3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1644 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\อ่านวิธีแก้ไฟล์โดนล๊อค.txt1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\j8hu3ld\imagestore.dat
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_Salsa20.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_aes.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_cbc.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_cfb.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_ctr.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_ecb.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_ocb.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_ofb.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Hash\_BLAKE2s.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Hash\_MD5.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Hash\_SHA1.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Hash\_SHA256.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Hash\_ghash_portable.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Protocol\_scrypt.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Util\_cpuid_c.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Util\_strxor.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\VCRUNTIME140.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\_bz2.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\_cffi_backend.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\_ctypes.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\_hashlib.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\_lzma.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\_queue.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\_socket.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\_ssl.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\base_library.zip
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\certifi\cacert.pem
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\cryptography\hazmat\bindings\_constant_time.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\cryptography\hazmat\bindings\_openssl.cp38-win32.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\libcrypto-1_1.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\libffi-7.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\libssl-1_1.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\pyexpat.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\python38.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\pythoncom38.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\pywintypes38.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\select.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\unicodedata.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI1122\win32api.pyd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T2ZG641A.txt
-
C:\Users\Admin\Desktop\อ่านวิธีแก้ไฟล์โดนล๊อค.txt
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_Salsa20.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_aes.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_cbc.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_cfb.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_ctr.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_ecb.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_ocb.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Cipher\_raw_ofb.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Hash\_BLAKE2s.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Hash\_MD5.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Hash\_SHA1.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Hash\_SHA256.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Hash\_ghash_portable.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Protocol\_scrypt.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Util\_cpuid_c.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\Crypto\Util\_strxor.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\VCRUNTIME140.dll
-
\Users\Admin\AppData\Local\Temp\_MEI1122\_bz2.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\_cffi_backend.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\_ctypes.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\_hashlib.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\_lzma.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\_queue.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\_socket.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\_ssl.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\cryptography\hazmat\bindings\_constant_time.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\cryptography\hazmat\bindings\_openssl.cp38-win32.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\libcrypto-1_1.dll
-
\Users\Admin\AppData\Local\Temp\_MEI1122\libffi-7.dll
-
\Users\Admin\AppData\Local\Temp\_MEI1122\libssl-1_1.dll
-
\Users\Admin\AppData\Local\Temp\_MEI1122\pyexpat.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\python38.dll
-
\Users\Admin\AppData\Local\Temp\_MEI1122\pythoncom38.dll
-
\Users\Admin\AppData\Local\Temp\_MEI1122\pywintypes38.dll
-
\Users\Admin\AppData\Local\Temp\_MEI1122\select.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\unicodedata.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI1122\win32api.pyd
-
memory/528-78-0x0000000000000000-mapping.dmp
-
memory/596-0-0x0000000000000000-mapping.dmp
-
memory/1644-77-0x0000000000000000-mapping.dmp