Overview

overview

10

Static

static

8

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

8

ฺฺฺ�...�ฺ1m

windows10_x64

3

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

8

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

3

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

3

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

8

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

3

Resubmissions

18-11-2020 14:18

201118-dj27sn3f52 10

18-11-2020 13:42

201118-1arz86e7w6 10

18-11-2020 13:38

201118-n8jh228ctn 10

Analysis

  • max time kernel
    61s
  • max time network
    79s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-11-2020 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe

Score
8/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 58 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe
      C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe --silent --partner=AE190201 --homepage=1 --search=1 --campaign=292
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Local\Temp\7zS4E9D11D4\WebCompanionInstaller.exe
        .\WebCompanionInstaller.exe --partner=AE190201 --campaign=292 --version=7.0.2354.4185 --prod --silent --partner=AE190201 --homepage=1 --search=1 --campaign=292
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:3032
        • C:\Windows\SysWOW64\sc.exe
          "sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
          4⤵
            PID:1772
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
            4⤵
              PID:2236
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
              4⤵
                PID:2564
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1900
                • C:\Windows\SysWOW64\netsh.exe
                  netsh http add urlacl url=http://+:9007/ user=Everyone
                  5⤵
                    PID:4060
                • C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
                  "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3696
          • C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
            "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"
            1⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:3040

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/3040-106-0x00007FF808200000-0x00007FF808BA0000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/3696-97-0x000000006F490000-0x000000006FB7E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3696-100-0x000000000CE60000-0x000000000CE61000-memory.dmp

            Filesize

            4KB

            Download