Overview

overview

9

Static

static

8

99ecb8fe08...bf.exe

windows7_x64

9

99ecb8fe08...bf.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    72s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-04-2022 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99ecb8fe08339f5a1ef6790d2102b38f7b17cf8f74a258f6020ab2075b2734bf.exe

  • Size

    289KB

  • MD5

    9c5d2ad17b6e100bf79c7ac19de0b289

  • SHA1

    7da2598504baaed90d03a647da4dcf8521e8aa83

  • SHA256

    99ecb8fe08339f5a1ef6790d2102b38f7b17cf8f74a258f6020ab2075b2734bf

  • SHA512

    38a95d72dcfe0a24463d628fa0990c1f3c44fd47303071b17fd1a43707438a6a33a74ee3c9ba7f7b255db3e2401d9486938ec2bc5189d22870c484f27a0400c3

Score
9/10
adwarestealer

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Installs/modifies Browser Helper Object 2 TTPs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry class 55 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99ecb8fe08339f5a1ef6790d2102b38f7b17cf8f74a258f6020ab2075b2734bf.exe
    "C:\Users\Admin\AppData\Local\Temp\99ecb8fe08339f5a1ef6790d2102b38f7b17cf8f74a258f6020ab2075b2734bf.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\iksaxu.dll"
      2⤵
      • Modifies registry class
      PID:1364
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/search?q=sex download
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1292 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1aad4b1cacdbf2eb397513983f3f2670

    SHA1

    c8cdded970e432d39833539537d5261ef6fbf00d

    SHA256

    201aa109569f75a3a59dc9c0ba30ec100cc728fe946f50a3ce4667a4354b70e4

    SHA512

    26b9e290f8e5d806240a4a3151a79b1e4446ef923bc6c0fffd9d12a29d469899c9012110e39e0e25df5a10baf193c66967186e26631b405dec58fca96ea431ec

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
    Filesize

    9KB

    MD5

    fded2f2767fa0333d7fd32bf9152bd5d

    SHA1

    4ab3348854b079e810325b6d7da3327c11334cd4

    SHA256

    f4b26a228141ff72d1d7f9a16475d087dbcb980907349b3783f2e47094f09356

    SHA512

    814185ee40a4365e5d14962b00c60491fc4415625de3f6bed668f153c291b09de2185c2903e8cac27cbae53e968a6ee6effa22734dac8b2e125b61f4728afb4c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LUKR5PVZ.txt
    Filesize

    604B

    MD5

    2f6ac2ee2114edcdd4a698224f75d827

    SHA1

    27f3eb20de2f560fcf97ccebb5c7d6809f691a14

    SHA256

    bc393d182616a0510f55ac376d96a17a6a7d4e6a8b09ce8716f3b9f997bf1b0c

    SHA512

    523b0774b0f8f30af8ba5d9fe261029e83a4fdaa65ac3320d0d653d1d4006d5a80b67242700c1a3e61048fa018ea690790b40c0499ce4a038124e505e88e1769

    Download Submit
  • C:\Windows\iksaxu.dll
    Filesize

    246KB

    MD5

    c90370a618f0505e6d190c6fa175aeaa

    SHA1

    7a260db073f691c3679bd1e8cf17ba934d290b18

    SHA256

    ae87350bcdda0fba4914ae063686574767ac37794fb9355125e27030fd17ae97

    SHA512

    7315ae09c0b3f0f8a3e35c3360a93d2381ebba3c515a3dee138fad9dc22b527684f988057e3f3f4e502d9f4d4c99591d83e2a3eed0f573819dac8885bfa44486

    Download Submit
  • memory/1364-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1836-54-0x0000000075501000-0x0000000075503000-memory.dmp
    Filesize

    8KB

    Download