Overview

overview

10

Static

static

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

9

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

Analysis

  • max time kernel
    1798s
  • max time network
    1810s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-11-2020 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Archive.zip__ccacaxs2tbz2t6ob3e.exe

Score
8/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies data under HKEY_USERS 54 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe
    "C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe
      C:\Users\Admin\AppData\Local\Temp\Temp\WCInstaller.exe --silent --partner=AE190201 --homepage=1 --search=1 --campaign=292
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Users\Admin\AppData\Local\Temp\7zS40E87735\WebCompanionInstaller.exe
        .\WebCompanionInstaller.exe --partner=AE190201 --campaign=292 --version=7.0.2354.4185 --prod --silent --partner=AE190201 --homepage=1 --search=1 --campaign=292
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\SysWOW64\sc.exe
          "sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
          4⤵
            PID:3024
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
            4⤵
              PID:3960
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
              4⤵
                PID:1660
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4088
                • C:\Windows\SysWOW64\netsh.exe
                  netsh http add urlacl url=http://+:9007/ user=Everyone
                  5⤵
                    PID:2356
                • C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
                  "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • Drops desktop.ini file(s)
                  • Drops file in Windows directory
                  • Modifies Internet Explorer settings
                  • Modifies Internet Explorer start page
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:204
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8g0uqmxw.cmdline"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3472
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE2F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCE2E.tmp"
                      6⤵
                        PID:4000
                    • C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe
                      "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe" {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
                      5⤵
                      • Executes dropped EXE
                      PID:3272
                  • C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
                    "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --afterinstall
                    4⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:1400
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrqiljnr.cmdline"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4092
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE067.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE066.tmp"
                        6⤵
                          PID:3956
                • C:\Users\Admin\AppData\Local\Temp\6ACF.tmp.exe
                  C:\Users\Admin\AppData\Local\Temp\6ACF.tmp.exe
                  2⤵
                  • Executes dropped EXE
                  PID:2680
              • C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
                "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"
                1⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:852
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2912
                  • C:\Windows\system32\netsh.exe
                    netsh http add urlacl url=http://+:9007/ user=Everyone
                    3⤵
                    • Modifies data under HKEY_USERS
                    PID:3368
                • C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\ic1y0db6.cmdline"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2128
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESF520.tmp" "c:\Windows\Temp\CSCF51F.tmp"
                    3⤵
                      PID:3176
                • C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
                  C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
                  1⤵
                    PID:1452

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/204-100-0x000000000D3B0000-0x000000000D3B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/204-97-0x00000000700E0000-0x00000000707CE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/852-106-0x00007FF98B060000-0x00007FF98BA00000-memory.dmp

                    Filesize

                    9.6MB

                    Download

                  • memory/1400-217-0x000000000A330000-0x000000000A340000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1400-241-0x0000000014AF0000-0x0000000014AF1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1400-232-0x000000000D5C0000-0x000000000D5C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1400-229-0x000000006F7C0000-0x000000006FEAE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/1452-196-0x00007FF98B060000-0x00007FF98BA00000-memory.dmp

                    Filesize

                    9.6MB

                    Download