Overview

overview

8

Static

static

a6936625e7...5f.exe

windows7_x64

8

a6936625e7...5f.exe

windows10_x64

8

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    28-10-2021 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6936625e74d09e2118a9b0a475bf9391495f047f046f7b63cfc319adebbc25f.exe

  • Size

    5.5MB

  • MD5

    d07ccea4f401887ff1106c08c42e8110

  • SHA1

    79510087ee93e64cbbcb930ef6e61e620d619539

  • SHA256

    a6936625e74d09e2118a9b0a475bf9391495f047f046f7b63cfc319adebbc25f

  • SHA512

    96841848dafa59b9dc1f963c04550e72b2bb8a30818f90c639b2aff5978322b077c84bea0204b6027fc591f9914f9df8e5a4cac13e7059eba9795dc261b03e1a

Score
8/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 37 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6936625e74d09e2118a9b0a475bf9391495f047f046f7b63cfc319adebbc25f.exe
    "C:\Users\Admin\AppData\Local\Temp\a6936625e74d09e2118a9b0a475bf9391495f047f046f7b63cfc319adebbc25f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\AppData\Local\Temp\is-H7PJQ.tmp\a6936625e74d09e2118a9b0a475bf9391495f047f046f7b63cfc319adebbc25f.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-H7PJQ.tmp\a6936625e74d09e2118a9b0a475bf9391495f047f046f7b63cfc319adebbc25f.tmp" /SL5="$30118,5031305,780800,C:\Users\Admin\AppData\Local\Temp\a6936625e74d09e2118a9b0a475bf9391495f047f046f7b63cfc319adebbc25f.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3748
      • C:\Program Files (x86)\WinThruster\WTNotifications.exe
        "C:\Program Files (x86)\WinThruster\WTNotifications.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3460
      • C:\Program Files (x86)\WinThruster\WinThruster.exe
        "C:\Program Files (x86)\WinThruster\WinThruster.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:3932
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "WinThruster automatic scan and notifications" /TR "\"C:\Program Files (x86)\WinThruster\WTNotifications.exe\"" /SC ONLOGON /RL HIGHEST /F
          4⤵
          • Creates scheduled task(s)
          PID:3340
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2976
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:2196
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3484
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3796
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4144
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4420
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4504

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\WinThruster\Cookies.txt
    MD5

    bf6c156441320d21440afc65a6bcf77d

    SHA1

    b04bb3fa963147218ef2c79e96a5a3e1d899e94d

    SHA256

    502f9fba9bba2ca5f57a3a0ea7efcee4731c98dcd2ea0fcec21059b11ddbf352

    SHA512

    dba0389aa9a68787f638712f321753d5933a3a9b714358ef780796f8e0a1bece21e113a88626e760c6023c3f03ee18ca138bc3a6962925282a0efbaf92a40474

    Download Submit

  • C:\Program Files (x86)\WinThruster\English.ini
    MD5

    3a3b8dce74e4fec77eaeea2b1f535948

    SHA1

    1ff94bd4136aa271e56938b14e872be885f41f3d

    SHA256

    dcffa0dea71fdba673e01f48d83f663b454c88a99bce64ac17792cd4f7af2ff0

    SHA512

    36138f90d106e68c6a40dca8d27cc2c59b00c867739755cc45548dd8926cf7c122257046c956fdaf9686200a93caf767c670e86a7746f13bce8256a2be810e7c

    Download Submit

  • C:\Program Files (x86)\WinThruster\SList.txt
    MD5

    80a353ea8e6a93a016076e538a9b123c

    SHA1

    ba551dd7c98f477c6d2c55fbdfaae9e5d1990dd6

    SHA256

    f4b39bf16baa717ebf380c322491e868279da6cc90155ba1b31634a4b60bcf1a

    SHA512

    1736f5d8da168e772104c4b9db0ebe3bc35709b5eff6c781fa2347624c7147f825621ebe166dfc796772885b37c09ab4b642ea6953fd40198b152dec9aa5ef64

    Download Submit

  • C:\Program Files (x86)\WinThruster\SiteNtf.txt
    MD5

    b8dd8bdac1510ef2fb80b5f6cb43b71d

    SHA1

    e5efffaa40f1bbc65a91fe09b29ebf655df88315

    SHA256

    bebde1daa07b9f2caee5006af0cfd6d43df7c69f7797981ac4f088b26944a190

    SHA512

    84a41ab2cf5b1bb11596bd9812f72d3a628b2d4f2a697d96c10c44b2e3280326b52ec23bc86e132266d9d0ce29116f8ef52d0ed8246a24676c9c47d0ed9628db

    Download Submit

  • C:\Program Files (x86)\WinThruster\UList.txt
    MD5

    0a98387bc136d528f220300db04a8f3c

    SHA1

    5fad82017a8c1c872a29b1899ee2a69fe46b775e

    SHA256

    e3038c1f9f88b80fcd4e34a8999caa2073d010c2408391b5c8ce00f758be0206

    SHA512

    ed9c88c1743a71fba8e29a55f09f753ad74b291d5d35b87459450fb0204790e0ddfa8f3bd914539509f896ce6d21c2c8a1faad6e3a1ec5557411059e94fd088a

    Download Submit

  • C:\Program Files (x86)\WinThruster\WTNotifications.exe
    MD5

    000b02c34445067da8c03ae044f1ba3b

    SHA1

    10456732267b007b295241492cbb67c755a8d2b8

    SHA256

    bc983cc3467260adf1f00218670f7066b9293a5fc314efc09f29febcd92e0454

    SHA512

    98eae66c6e29ed14f4f3fbad9b75d91d652a58466f355c2e7c41dd07c7f3192790602ea1eb415a13e1d85e0d8471bac623053d364705516c4aac96368667f86f

    Download Submit

  • C:\Program Files (x86)\WinThruster\WinThruster.exe
    MD5

    2f6d255d3e6b6acfe2763fac2509b7aa

    SHA1

    2119535d7dd3fe971232e888b999023851b7bb85

    SHA256

    19d289fa0f955589d877296a9f505e91ca540ebbb70a02e90eb30ce4e74e6ebb

    SHA512

    3261343abaab4b9df92fcafaf1e3dcab2019a24db5df07a57f271afea60ac08bc9389d0c813646134350dc56b1e337867bce483c44e2a13a44e7fd8d430fd05d

    Download Submit

  • C:\Program Files (x86)\WinThruster\sqlite3.dll
    MD5

    97672fc2d19807088cca791d20f3bd4b

    SHA1

    eebd38fa5954656895df3e6ac7ed142129f98100

    SHA256

    d6f145175bf58ac6fbc70465dba372a3b579845c717bf762f1219351c1a3a5e4

    SHA512

    3a852132287c2bda2e01a707df92405ec656080d6cbad847e32a419cb4b1763dcb04181a525356809ee2e4b4dc6af3a4330a6f9b19f598c507ddb62618aa4f3f

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinThruster\Uninstall WinThruster.lnk
    MD5

    34690099c3bd659690a3d5bc46c72da4

    SHA1

    33f2c720ad3560f523c6c872a7ff59f95da62dbf

    SHA256

    ee8fd1b49df1a65ed75658f5b336fa2b1753a36372fc880112f71a02b77916a6

    SHA512

    85813ce72dcccc2fab28a8188cc9548691433da0e89ffad3991d4572bd2803f3fa0cbb1f5b146028a40ab053fbdc7cb32e5a357db7758535689392df9dac6329

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinThruster\WinThruster on the Web.lnk
    MD5

    1354cc5ed339bedc7439c3a94b330ad7

    SHA1

    37c4b36db884405947d3b92b720705256613d041

    SHA256

    2cd9566b2e64f5a89e0361ebd0b931b1c24cc31897d016c25b4635e26a239cc1

    SHA512

    e36a3bdec8e64fa7ea7083317f1ca5f24d37ba6a1071beaad028bea379fa89ebe1288405da1dba2cd4b75a58e88c2c76a8efc9fefffe16f58beb883ee681a335

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinThruster\WinThruster.lnk
    MD5

    4c5b03d31fc8ca3c5ad3730c2216d0db

    SHA1

    78b3827059e51bb062060bdc6a89240610d93954

    SHA256

    0522cf668311a807d0ef59fd524ac50977becf200cb07930d626fef4be7e36b2

    SHA512

    7c9262a857816b45071d5c99c45b630f38c6ae59c89a86f9feea8d00874d9c4a44fa37bef47bae23731342dce72c2996314ba776f47a8d07fb39236d8cccfe17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-H7PJQ.tmp\a6936625e74d09e2118a9b0a475bf9391495f047f046f7b63cfc319adebbc25f.tmp
    MD5

    8b6183936cdeaa7be9a3e646f826057a

    SHA1

    86543f76db3a131956a6e06c3c06ae7be9ed9462

    SHA256

    ef6f75ae2f1893254e9329ad9a5b77df33a8d501cebf3414447c6767fb0d7681

    SHA512

    90a34c5e01cf3dcf62e4367cafe8b98e0b15a6d6588211c2256a405b5a3d6ef91a682c1979626dba37bc815f48e684fe1e07051ee4d686799422c44b246f14e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-H7PJQ.tmp\a6936625e74d09e2118a9b0a475bf9391495f047f046f7b63cfc319adebbc25f.tmp
    MD5

    8b6183936cdeaa7be9a3e646f826057a

    SHA1

    86543f76db3a131956a6e06c3c06ae7be9ed9462

    SHA256

    ef6f75ae2f1893254e9329ad9a5b77df33a8d501cebf3414447c6767fb0d7681

    SHA512

    90a34c5e01cf3dcf62e4367cafe8b98e0b15a6d6588211c2256a405b5a3d6ef91a682c1979626dba37bc815f48e684fe1e07051ee4d686799422c44b246f14e2

    Download Submit

  • C:\Users\Admin\Desktop\WinThruster.lnk
    MD5

    8a78dadd5abd6a14b1b4f98e1f3b451f

    SHA1

    3e771c25435168a2a809c3fcdcd82e9213c3ddb3

    SHA256

    7678715df3b20d230046750e04d2fa92b0449f12080733a7709dabe84202d32b

    SHA512

    e7aa18509652259765f64373232f651790653dc1ac241902ec855a5f362704fe984ab47be3c954c6f74762f4dfdbe605b4bd21cb5d90a5a3dea9fb943348acbb

    Download Submit

  • \Program Files (x86)\WinThruster\sqlite3.dll
    MD5

    97672fc2d19807088cca791d20f3bd4b

    SHA1

    eebd38fa5954656895df3e6ac7ed142129f98100

    SHA256

    d6f145175bf58ac6fbc70465dba372a3b579845c717bf762f1219351c1a3a5e4

    SHA512

    3a852132287c2bda2e01a707df92405ec656080d6cbad847e32a419cb4b1763dcb04181a525356809ee2e4b4dc6af3a4330a6f9b19f598c507ddb62618aa4f3f

    Download Submit

  • \Program Files (x86)\WinThruster\sqlite3.dll
    MD5

    97672fc2d19807088cca791d20f3bd4b

    SHA1

    eebd38fa5954656895df3e6ac7ed142129f98100

    SHA256

    d6f145175bf58ac6fbc70465dba372a3b579845c717bf762f1219351c1a3a5e4

    SHA512

    3a852132287c2bda2e01a707df92405ec656080d6cbad847e32a419cb4b1763dcb04181a525356809ee2e4b4dc6af3a4330a6f9b19f598c507ddb62618aa4f3f

    Download Submit

  • memory/2680-117-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/3340-136-0x0000000000000000-mapping.dmp

    Download

  • memory/3460-133-0x0000000000870000-0x00000000009BA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3460-122-0x0000000000000000-mapping.dmp

    Download

  • memory/3748-120-0x0000000000830000-0x0000000000831000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3748-118-0x0000000000000000-mapping.dmp

    Download

  • memory/3932-132-0x0000000000D30000-0x0000000000D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3932-123-0x0000000000000000-mapping.dmp

    Download