Overview

overview

9

Static

static

8

99ecb8fe08...bf.exe

windows7_x64

9

99ecb8fe08...bf.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    133s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-04-2022 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99ecb8fe08339f5a1ef6790d2102b38f7b17cf8f74a258f6020ab2075b2734bf.exe

  • Size

    289KB

  • MD5

    9c5d2ad17b6e100bf79c7ac19de0b289

  • SHA1

    7da2598504baaed90d03a647da4dcf8521e8aa83

  • SHA256

    99ecb8fe08339f5a1ef6790d2102b38f7b17cf8f74a258f6020ab2075b2734bf

  • SHA512

    38a95d72dcfe0a24463d628fa0990c1f3c44fd47303071b17fd1a43707438a6a33a74ee3c9ba7f7b255db3e2401d9486938ec2bc5189d22870c484f27a0400c3

Score
9/10
adwarestealer

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Modifies registry class 55 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99ecb8fe08339f5a1ef6790d2102b38f7b17cf8f74a258f6020ab2075b2734bf.exe
    "C:\Users\Admin\AppData\Local\Temp\99ecb8fe08339f5a1ef6790d2102b38f7b17cf8f74a258f6020ab2075b2734bf.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3460
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\ikunbeps.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:3444
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/search?q=sex download
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3784
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3784 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\a5473fd\imagestore.dat
    Filesize

    5KB

    MD5

    493926bd6990823e06357fc69ba02c3b

    SHA1

    faeaf149c204c6b498a33e62d3cf5afa9ffc3c26

    SHA256

    dce2f50364ad7f65fbb3786932b55d9b541fe8905f48cb30c6e7156ebd320c42

    SHA512

    de50a7af2d2de827d7ea7aa47855af9f7d63da816016536b27e083bf1291e0fa467a401397fc129cba9f2eb6d54857a884a3c40cb1998de779bfb50031ed2fe8

    Download Submit
  • C:\Windows\ikunbeps.dll
    Filesize

    246KB

    MD5

    c90370a618f0505e6d190c6fa175aeaa

    SHA1

    7a260db073f691c3679bd1e8cf17ba934d290b18

    SHA256

    ae87350bcdda0fba4914ae063686574767ac37794fb9355125e27030fd17ae97

    SHA512

    7315ae09c0b3f0f8a3e35c3360a93d2381ebba3c515a3dee138fad9dc22b527684f988057e3f3f4e502d9f4d4c99591d83e2a3eed0f573819dac8885bfa44486

    Download Submit
  • C:\Windows\ikunbeps.dll
    Filesize

    246KB

    MD5

    c90370a618f0505e6d190c6fa175aeaa

    SHA1

    7a260db073f691c3679bd1e8cf17ba934d290b18

    SHA256

    ae87350bcdda0fba4914ae063686574767ac37794fb9355125e27030fd17ae97

    SHA512

    7315ae09c0b3f0f8a3e35c3360a93d2381ebba3c515a3dee138fad9dc22b527684f988057e3f3f4e502d9f4d4c99591d83e2a3eed0f573819dac8885bfa44486

    Download Submit
  • memory/3444-130-0x0000000000000000-mapping.dmp
    Download