Overview

overview

8

Static

static

1ab54f3cd4...47.exe

windows7-x64

8

1ab54f3cd4...47.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    123s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 14:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1ab54f3cd48811d094bc29ec585246391a72269ffe3233fc5ef627339010ca47.exe

  • Size

    280KB

  • MD5

    6f22bd431352758b700e8d731d47ee50

  • SHA1

    8231cc14f11c44bf140633f3b3fff5f6a2f99c69

  • SHA256

    1ab54f3cd48811d094bc29ec585246391a72269ffe3233fc5ef627339010ca47

  • SHA512

    937d71aa45c9be2f9e08e0bd993290291f6a5edcaf7870ce03f6a8aa82fde8efd58a858713086dacaf0d2fd30321b87e5aad71a1b981f2b8cee5d2b5678eb557

  • SSDEEP

    6144:SOh624SQWq7boy1WY1kmlpNRovV6UlSi1TqFo:SSQWq7boy0bcp3ov9F2

Score
8/10
adwarepersistencestealerupx

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 6 IoCs
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ab54f3cd48811d094bc29ec585246391a72269ffe3233fc5ef627339010ca47.exe
    "C:\Users\Admin\AppData\Local\Temp\1ab54f3cd48811d094bc29ec585246391a72269ffe3233fc5ef627339010ca47.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s /c C:\Windows\system32\kakubi.dll
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:796
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Coor.bat
      2⤵
        PID:632

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Coor.bat
            Filesize

            178B

            MD5

            d981c09bd462c3702c148f7025c5eb76

            SHA1

            38922125bded1e703bf9a5a82624a6d4695123fd

            SHA256

            9cad85aa5f4083f5099dec79a254ce2b7bf76fe9f7dcb32648f1e84c3fd94d85

            SHA512

            b628cd76dd053a2d84ef847386544e997a8ffb710619ba34a003df6c21d742e2fcd98de7177590142a66ef8833d444bdbf2094545ba653a4c4f4a76f50b784c7

            Download Submit

          • C:\Windows\SysWOW64\kakubi.dll
            Filesize

            232KB

            MD5

            903fc91cdacbb35e555d42c7f3bb27d5

            SHA1

            c55ee62d57056877be53c9cfc677ca3816e41335

            SHA256

            37540213b974a987277ee5e8729ee2c0279223973cf2edb5074634287955777f

            SHA512

            a55650761ac5a9bca50083527fa16feddb0200417d641ff033e7f0f507a4d91ede1d168dd4ea08ce3e502ab36d0a60c37b6b936a2a7e7bc9c3ef012d549fad32

            Download Submit

          • C:\Windows\SysWOW64\kakubi.dll
            Filesize

            232KB

            MD5

            903fc91cdacbb35e555d42c7f3bb27d5

            SHA1

            c55ee62d57056877be53c9cfc677ca3816e41335

            SHA256

            37540213b974a987277ee5e8729ee2c0279223973cf2edb5074634287955777f

            SHA512

            a55650761ac5a9bca50083527fa16feddb0200417d641ff033e7f0f507a4d91ede1d168dd4ea08ce3e502ab36d0a60c37b6b936a2a7e7bc9c3ef012d549fad32

            Download Submit

          • memory/796-140-0x0000000010000000-0x000000001004A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/5048-135-0x0000000000470000-0x0000000000480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5048-137-0x0000000001000000-0x0000000001129000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/5048-132-0x0000000001000000-0x0000000001129000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/5048-141-0x0000000000470000-0x0000000000480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5048-134-0x0000000000C30000-0x0000000000CB0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/5048-143-0x0000000001000000-0x0000000001129000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/5048-133-0x0000000000C30000-0x0000000000CB0000-memory.dmp

            Filesize

            512KB

            Download