Analysis

  • max time kernel
    151s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-04-2022 18:01

General

  • Target

    2216973fd9794e1cca0ce543368762eb0105f5d097b103db52bd37731d790c80.exe

  • Size

    17KB

  • MD5

    ac88cf156ecae3c17833d98e2d24cb89

  • SHA1

    4d238e454fd2c82d809f7dbd5117b16a6d7686a4

  • SHA256

    2216973fd9794e1cca0ce543368762eb0105f5d097b103db52bd37731d790c80

  • SHA512

    b2e54b89be1ed110e889fe228da238071c7db1f24e55dc8a37f73d54ee56d4728131fb7c8c277c5cdcc7629158cb8e58f55ab2aa0503523cad69a8483448821b

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2216973fd9794e1cca0ce543368762eb0105f5d097b103db52bd37731d790c80.exe
    "C:\Users\Admin\AppData\Local\Temp\2216973fd9794e1cca0ce543368762eb0105f5d097b103db52bd37731d790c80.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Users\Admin\AppData\Local\Temp\sbsm.exe
      C:\Users\Admin\AppData\Local\Temp\sbsm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:4244

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Browser Extensions

1
T1176

Defense Evasion

Modify Registry

3
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\sbmdl.dll
    Filesize

    8KB

    MD5

    4a4bf873392614e5d5c4e2b5bdfa39e0

    SHA1

    7de1c3e45e8491bc21a0c3c89d0e73c8541142fd

    SHA256

    db7692f8a1446bc82ac3e48a80f69cb8c4f284a02abb800d4ddc732c42295b5a

    SHA512

    a56f2ac3ab5ec0206e178ac458f105bd0c00f407c8e06bad24cce902f098342ca48ac69eb22f6307e37a4818bfdd482c336da156a7b1c835ca0119c0ae35788e

  • C:\Users\Admin\AppData\Local\Temp\sbsm.exe
    Filesize

    4KB

    MD5

    e0f7ced526b99e14505dc5f20a519cc2

    SHA1

    89dfd546230cdb96e30076c14cc63335f463d79d

    SHA256

    756511a2c6902b5828f754cb0a0849d0441034d90fc32f81196def0c85a725fa

    SHA512

    1cba73b7a7751647ca0d45bfb5bc57392529c1ee67686d790313415315d1b746bd16bfda599a19da8c19fed6be48d3e1a02a11bf2b3306ff0961c3f4bfc29fd1

  • C:\Users\Admin\AppData\Local\Temp\sbsm.exe
    Filesize

    4KB

    MD5

    e0f7ced526b99e14505dc5f20a519cc2

    SHA1

    89dfd546230cdb96e30076c14cc63335f463d79d

    SHA256

    756511a2c6902b5828f754cb0a0849d0441034d90fc32f81196def0c85a725fa

    SHA512

    1cba73b7a7751647ca0d45bfb5bc57392529c1ee67686d790313415315d1b746bd16bfda599a19da8c19fed6be48d3e1a02a11bf2b3306ff0961c3f4bfc29fd1

  • memory/4244-131-0x0000000000000000-mapping.dmp