Resubmissions

03-07-2024 16:04

240703-thygmaycpc 10

01-07-2024 18:12

240701-ws6xvswbkj 10

01-07-2024 18:03

240701-wm5sls1gka 10

01-07-2024 18:03

240701-wm39sa1gjf 10

01-07-2024 18:03

240701-wm2e7avhkj 10

01-07-2024 18:03

240701-wmzxcs1fre 10

01-07-2024 18:02

240701-wmzats1frc 10

01-07-2024 18:02

240701-wmvbwa1fqh 10

22-11-2023 17:02

231122-vkac9adg64 10

Analysis

  • max time kernel
    513s
  • max time network
    525s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-11-2020 13:14

General

  • Target

    Archive.zip__ccacaxs2tbz2t6ob3e.exe

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 54 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe
    "C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe
      C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe --silent --partner=AE190201 --homepage=1 --search=1 --campaign=292
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\Users\Admin\AppData\Local\Temp\7zS84D416F4\WebCompanionInstaller.exe
        .\WebCompanionInstaller.exe --partner=AE190201 --campaign=292 --version=7.0.2354.4185 --prod --silent --partner=AE190201 --homepage=1 --search=1 --campaign=292
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\SysWOW64\sc.exe
          "sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
          4⤵
            PID:3060
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
            4⤵
              PID:2772
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
              4⤵
                PID:2748
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3944
                • C:\Windows\SysWOW64\netsh.exe
                  netsh http add urlacl url=http://+:9007/ user=Everyone
                  5⤵
                    PID:1856
                • C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
                  "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • Drops desktop.ini file(s)
                  • Drops file in Windows directory
                  • Modifies Internet Explorer settings
                  • Modifies Internet Explorer start page
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2632
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7zowtfll.cmdline"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3820
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3971.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3970.tmp"
                      6⤵
                        PID:1880
                    • C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe
                      "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe" {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
                      5⤵
                      • Executes dropped EXE
                      PID:4276
                  • C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
                    "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --afterinstall
                    4⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:4432
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-imuaq-m.cmdline"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4144
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES407D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC407C.tmp"
                        6⤵
                          PID:4240
                • C:\Users\Admin\AppData\Local\Temp\CA1A.tmp.exe
                  C:\Users\Admin\AppData\Local\Temp\CA1A.tmp.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4936
              • C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
                "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"
                1⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3924
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1032
                  • C:\Windows\system32\netsh.exe
                    netsh http add urlacl url=http://+:9007/ user=Everyone
                    3⤵
                    • Modifies data under HKEY_USERS
                    PID:3892
                • C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\5qfar25f.cmdline"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4180
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES56EC.tmp" "c:\Windows\Temp\CSC56EB.tmp"
                    3⤵
                      PID:4236
                • C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
                  C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
                  1⤵
                    PID:4860

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/2632-97-0x000000006F3C0000-0x000000006FAAE000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/2632-100-0x000000000ADC0000-0x000000000ADC1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3924-106-0x00007FFC44690000-0x00007FFC45030000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/4432-198-0x000000006F740000-0x000000006FE2E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/4432-241-0x000000000EBB0000-0x000000000EBB1000-memory.dmp

                    Filesize

                    4KB

                  • memory/4432-253-0x000000000EBB0000-0x000000000EBC0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4432-201-0x000000000CF50000-0x000000000CF51000-memory.dmp

                    Filesize

                    4KB

                  • memory/4860-217-0x00007FFC44690000-0x00007FFC45030000-memory.dmp

                    Filesize

                    9.6MB