Overview

overview

8

Static

static

20e60ff094...ff.exe

windows7-x64

8

20e60ff094...ff.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    41s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20e60ff094fb57ac2b80744aba88c61635f85d109b29fcae776af05a65550bff.exe

  • Size

    341KB

  • MD5

    59a3fb18abf76e1955b666771d04712a

  • SHA1

    376983c0d74e65ec2fff72f760a94d527105c67e

  • SHA256

    20e60ff094fb57ac2b80744aba88c61635f85d109b29fcae776af05a65550bff

  • SHA512

    f38102d22673ceab36ccb713575ca9de7e75f33b3c8a557815aa62470f3f6d6d5c60932282fc5aac4040475fd79b050f8e13444c6223a149bf8f67dcaf94d0c3

  • SSDEEP

    6144:bTfFDbRnOTrAZJUJvIV9X7PkoCLIJ/2Hzq4PqrBQZ7o+xegv83+:d5OtKl7PkRLI12HCNqEYNk3+

Score
8/10
adwarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 23 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20e60ff094fb57ac2b80744aba88c61635f85d109b29fcae776af05a65550bff.exe
    "C:\Users\Admin\AppData\Local\Temp\20e60ff094fb57ac2b80744aba88c61635f85d109b29fcae776af05a65550bff.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s nsutlc.dll
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:1752
    • C:\Program Files (x86)\Common Files\nsutlc.exe
      "C:\Program Files (x86)\Common Files\nsutlc.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Program Files (x86)\Common Files\cvdbsy.bat""
        3⤵
          PID:2032

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\cvdbsy.bat
      Filesize

      136B

      MD5

      a88848f2c9b62a491dc20accb31b0d76

      SHA1

      450020d5f4dfc0f4e5fd93f09efe32ffcc8e28d5

      SHA256

      26c020a12fa73cf4bc6a9ea59a760b3901cb6fca6626e4fb14862cb459504d65

      SHA512

      80276842743389309ad266774e9d6c394c067f4b6113c2aaa1e5c6f5b5bb1d4b9307596026110f8d5b6aea375b487a2260839839659a37bff08dd57d0a3f86da

      Download Submit

    • C:\Program Files (x86)\Common Files\nsutlc.dll
      Filesize

      411KB

      MD5

      52682b1ba2ddd6ac1518b03de4dc7f9e

      SHA1

      dec67d7fc12ac0580729912d352a56b97bdab386

      SHA256

      0ea82bb80cadf6c6479be459a25aca694504435c67f22d201603616b7be4cfa0

      SHA512

      1d16b1740171eeb600e5ebe21fcba92862677aded345dd0a6683ef42edfc9b63fc84555e629f9360f4d7ee7a816c738edd9497fb9ba5071bd666630ea4d11aaa

      Download Submit

    • C:\Program Files (x86)\Common Files\nsutlc.exe
      Filesize

      143KB

      MD5

      bdc21f46b98cd4dc8a6b0f36ad79657e

      SHA1

      32e97cd080d8c70c3846bb899265be0edb966ed4

      SHA256

      dcd88bbbf11b1a37a700a01ec85f336e1c6da8f05a07e0a6122c4cf3e1d46917

      SHA512

      f5c97d2248177e710a6d2883023d17676b5da179b6a3c1b9f4beadae9d56f0c4560c3830936a7c0ce42d7370d3bb40db553f84a8fc7ee1d32614a574203d44e6

      Download Submit

    • C:\Program Files (x86)\Common Files\nsutlc.exe
      Filesize

      143KB

      MD5

      bdc21f46b98cd4dc8a6b0f36ad79657e

      SHA1

      32e97cd080d8c70c3846bb899265be0edb966ed4

      SHA256

      dcd88bbbf11b1a37a700a01ec85f336e1c6da8f05a07e0a6122c4cf3e1d46917

      SHA512

      f5c97d2248177e710a6d2883023d17676b5da179b6a3c1b9f4beadae9d56f0c4560c3830936a7c0ce42d7370d3bb40db553f84a8fc7ee1d32614a574203d44e6

      Download Submit

    • \Program Files (x86)\Common Files\nsutlc.dll
      Filesize

      411KB

      MD5

      52682b1ba2ddd6ac1518b03de4dc7f9e

      SHA1

      dec67d7fc12ac0580729912d352a56b97bdab386

      SHA256

      0ea82bb80cadf6c6479be459a25aca694504435c67f22d201603616b7be4cfa0

      SHA512

      1d16b1740171eeb600e5ebe21fcba92862677aded345dd0a6683ef42edfc9b63fc84555e629f9360f4d7ee7a816c738edd9497fb9ba5071bd666630ea4d11aaa

      Download Submit

    • \Program Files (x86)\Common Files\nsutlc.exe
      Filesize

      143KB

      MD5

      bdc21f46b98cd4dc8a6b0f36ad79657e

      SHA1

      32e97cd080d8c70c3846bb899265be0edb966ed4

      SHA256

      dcd88bbbf11b1a37a700a01ec85f336e1c6da8f05a07e0a6122c4cf3e1d46917

      SHA512

      f5c97d2248177e710a6d2883023d17676b5da179b6a3c1b9f4beadae9d56f0c4560c3830936a7c0ce42d7370d3bb40db553f84a8fc7ee1d32614a574203d44e6

      Download Submit

    • \Program Files (x86)\Common Files\nsutlc.exe
      Filesize

      143KB

      MD5

      bdc21f46b98cd4dc8a6b0f36ad79657e

      SHA1

      32e97cd080d8c70c3846bb899265be0edb966ed4

      SHA256

      dcd88bbbf11b1a37a700a01ec85f336e1c6da8f05a07e0a6122c4cf3e1d46917

      SHA512

      f5c97d2248177e710a6d2883023d17676b5da179b6a3c1b9f4beadae9d56f0c4560c3830936a7c0ce42d7370d3bb40db553f84a8fc7ee1d32614a574203d44e6

      Download Submit

    • memory/1752-63-0x0000000000220000-0x000000000028B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/1804-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

      Filesize

      8KB

      Download