Overview

overview

10

Static

static

a3ae4a0eda...00.exe

windows7_x64

10

a3ae4a0eda...00.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    98s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    18-05-2022 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3ae4a0eda4309c7a8316f7a4b229f00.exe

  • Size

    20KB

  • MD5

    a3ae4a0eda4309c7a8316f7a4b229f00

  • SHA1

    d620bff1ee0117fddbc6ca3ccc730193d63b5f71

  • SHA256

    8db302a49d05002f7e2abd3e8381a57fcd8f73d7580d7e2f1f4f3cd3c600345f

  • SHA512

    b2f72a653490a7cfc191bdf99469b709839e944fe43eb0f50ea36d52fb7e83486e5df2b58efa84947d5cb3a6bfd31b1941a740f9efeea69c9fac164e4e86a1fa

Score
10/10
adwarepersistencestealer

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs
    persistence
  • Modifies system executable filetype association 2 TTPs 46 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Sets file execution options in registry 2 TTPs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3ae4a0eda4309c7a8316f7a4b229f00.exe
    "C:\Users\Admin\AppData\Local\Temp\a3ae4a0eda4309c7a8316f7a4b229f00.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im explorer.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im explorer.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
    • C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft" /f
      2⤵
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      PID:5012
    • C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide" /f
      2⤵
        PID:3744
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes" /f
        2⤵
        • Modifies system executable filetype association
        • Modifies registry class
        PID:3804
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c mountvol C: /d
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Windows\SysWOW64\mountvol.exe
          mountvol C: /d
          3⤵
            PID:4468

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      4
      T1060

      Change Default File Association

      1
      T1042

      Browser Extensions

      1
      T1176

      Privilege Escalation

      Defense Evasion

      Modify Registry

      7
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1436-132-0x0000000000000000-mapping.dmp
        Download
      • memory/2232-137-0x0000000000000000-mapping.dmp
        Download
      • memory/2364-136-0x0000000000000000-mapping.dmp
        Download
      • memory/3744-134-0x0000000000000000-mapping.dmp
        Download
      • memory/3804-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4468-138-0x0000000000000000-mapping.dmp
        Download
      • memory/5012-135-0x0000000000000000-mapping.dmp
        Download