Overview

overview

7

Static

static

1

0277888e35...39.exe

windows7_x64

7

0277888e35...39.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    30s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-05-2022 04:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0277888e35ecc22e1c97aaba83cb7f3190a0065e42087e4e33345d0491dcc839.exe

  • Size

    1000KB

  • MD5

    4113bf53ad97520e919917181eb53b4c

  • SHA1

    bdcb6caea9dd23d86e8c9ccaa199d052105f12e9

  • SHA256

    0277888e35ecc22e1c97aaba83cb7f3190a0065e42087e4e33345d0491dcc839

  • SHA512

    47b4323857dd835c8f8b113620eca1c6250984f845998d038b069ab789978ecdf19231bf17ffed6cd412e05ca16407386ccdc96de201fe5a839126bc42c29b51

Score
7/10
adwarediscoveryspywarestealer

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Program Files directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0277888e35ecc22e1c97aaba83cb7f3190a0065e42087e4e33345d0491dcc839.exe
    "C:\Users\Admin\AppData\Local\Temp\0277888e35ecc22e1c97aaba83cb7f3190a0065e42087e4e33345d0491dcc839.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 "C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta10250\ie\VideoPlayerV3beta10250.dll" /s
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta10250\ie\VideoPlayerV3beta10250.dll
    Filesize

    85KB

    MD5

    12f67cb87dc30248d38bde09908d7998

    SHA1

    63e2383550ef370157543042af1218f3d1bf8e49

    SHA256

    83b2e7b1afd89011c7b337c8e78c32fe1ba3b86607fa382ff70431f653d7960b

    SHA512

    d02ebaa6f2101530e3e33bbcefd95111f806aaa0bc27986abe66d6a0553d8d162e36c265ef29aaa2a6810aa2f9ae3327045ef434a4c525e3dffcfcb0683787fd

    Download Submit
  • \Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta10250\ie\VideoPlayerV3beta10250.dll
    Filesize

    85KB

    MD5

    12f67cb87dc30248d38bde09908d7998

    SHA1

    63e2383550ef370157543042af1218f3d1bf8e49

    SHA256

    83b2e7b1afd89011c7b337c8e78c32fe1ba3b86607fa382ff70431f653d7960b

    SHA512

    d02ebaa6f2101530e3e33bbcefd95111f806aaa0bc27986abe66d6a0553d8d162e36c265ef29aaa2a6810aa2f9ae3327045ef434a4c525e3dffcfcb0683787fd

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj3B9C.tmp\aminsis.dll
    Filesize

    822KB

    MD5

    678a22e736f3bfa0d74ae2b1133a4c77

    SHA1

    964bbaf745a2b82bc23de0879b221bf6551b7283

    SHA256

    c5799cbab76464874e857fbd16600c4b33298d809f4ef27a07b21f8724614f14

    SHA512

    058fa4ee5272623fcc9267958ad6d7befeb74efa079b8fa8e461830ec05b96ed933014360eac5ab61eff890b8ec1ea268d8b2781999515ed27ba0333751baa4a

    Download Submit
  • memory/1516-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1928-54-0x0000000075711000-0x0000000075713000-memory.dmp
    Filesize

    8KB

    Download