Overview

overview

8

Static

static

b61ccf17f0...5c.exe

windows7-x64

b61ccf17f0...5c.exe

windows10-2004-x64

Analysis

  • max time kernel
    117s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2022 02:10

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    b61ccf17f0fc2dc4b8f8aeaca7d3fafa0c413a8bba10a9597253544154471f5c.exe

  • Size

    244KB

  • MD5

    6f5565d772e06695dc6f52f271671a12

  • SHA1

    9fc978b9822cc0350fb6dfc7a9fc5bc152bf2350

  • SHA256

    b61ccf17f0fc2dc4b8f8aeaca7d3fafa0c413a8bba10a9597253544154471f5c

  • SHA512

    5ec78bc18d98ada3e22ef629baab748bfab143672987a7c7b16d468bf8d3ab062126a95df3ac0e6b4ad4f53a71897b74ae856dcc5665cc7e82aad23f5dd8c11f

  • SSDEEP

    3072:nwJIh/jU9dLhz1BZn2BwRJcb02UcJFnGQXcpI0JHuAEKHWNdm:nLCh/Zn2BwRJcbScJFt30hHEK2Ndm

Score
8/10
adwarepersistencestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Modifies data under HKEY_USERS 49 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b61ccf17f0fc2dc4b8f8aeaca7d3fafa0c413a8bba10a9597253544154471f5c.exe
    "C:\Users\Admin\AppData\Local\Temp\b61ccf17f0fc2dc4b8f8aeaca7d3fafa0c413a8bba10a9597253544154471f5c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Users\Admin\AppData\Local\Temp\yfm.exe
      "C:\Users\Admin\AppData\Local\Temp\yfm.exe"
      2⤵
      • Executes dropped EXE
      • Sets DLL path for service in the registry
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1504
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1312
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1588
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:432

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\yfm.exe
        Filesize

        20KB

        MD5

        b4082e9abd8870e6648299c9d9400fdb

        SHA1

        20f0c4b71af3bc4f7575ec18d55e80b44d87f804

        SHA256

        f3c9fa1648a6bdafaffa121cdd8780aae8e13af3b9c7fad4ebf2998db8e27df7

        SHA512

        ff7fe71f28ec98896fcedcce9d76e4d5a055eac3bdf9db938c913085c351c4cd2612bc61e3ca10d60d93d258697a961da2add6f5d3aff9685a7cf9ac2c43ac8d

        Download Submit

      • C:\Windows\SysWOW64\fsutk.dll
        Filesize

        116KB

        MD5

        d7e31cf0efcfa901edc5ffffad2ae2dd

        SHA1

        d3d0f50f795e703a7cf25cb46544496984bb075a

        SHA256

        0797cf86c6688f86db529bdb23cc959add9e6b92922132fc3eb2d1516bef0959

        SHA512

        932ca49084e94f4f72c4a9c3ffe4b584e8fe9568918a69e0e80ae443b99c3a2aa007415ec5a2ef348cef408f896db0e0988fd537d6438f75475b79a9a430cc1b

        Download Submit

      • \??\c:\$Recycle.bin\int.dat
        Filesize

        220KB

        MD5

        41a1f15a2fdd68b8da022d166db428d4

        SHA1

        96ca59456498ee2ece302f0196ae4641a3ba0a1a

        SHA256

        9e67b46fe1c222f4a1a016395b640cd578da0c5321d83c2acbc8bd8972888405

        SHA512

        7ace3e4c7e7d6c25f7048a8f8500b72e91f27663531c4dbae5df8824d78efee9c1b7b55df92d4cbf98efa3cfae5688dd7b16eee29020dd35cebe59c0dfcdae98

        Download Submit

      • \??\c:\windows\SysWOW64\liprip.dll
        Filesize

        84KB

        MD5

        757654f388fbf71cc3fb59bf59f38f03

        SHA1

        7624e94dbdf32bf2aeb16f715ba5604e3bdd39a0

        SHA256

        bfa38c01611eff9b4a80caa5e70e9f0df519b2aa010de7e9c6a986c37e296e88

        SHA512

        717e9f47e94f80dfc409445b2a596c2c5199669b6d11cb4a7b6dced5d5b65f1cc87bf17f0f6d443ed288844da5bdea938c77680a10a332131fd0f554d8004f95

        Download Submit

      • \Users\Admin\AppData\Local\Temp\yfm.exe
        Filesize

        20KB

        MD5

        b4082e9abd8870e6648299c9d9400fdb

        SHA1

        20f0c4b71af3bc4f7575ec18d55e80b44d87f804

        SHA256

        f3c9fa1648a6bdafaffa121cdd8780aae8e13af3b9c7fad4ebf2998db8e27df7

        SHA512

        ff7fe71f28ec98896fcedcce9d76e4d5a055eac3bdf9db938c913085c351c4cd2612bc61e3ca10d60d93d258697a961da2add6f5d3aff9685a7cf9ac2c43ac8d

        Download Submit

      • \Users\Admin\AppData\Local\Temp\yfm.exe
        Filesize

        20KB

        MD5

        b4082e9abd8870e6648299c9d9400fdb

        SHA1

        20f0c4b71af3bc4f7575ec18d55e80b44d87f804

        SHA256

        f3c9fa1648a6bdafaffa121cdd8780aae8e13af3b9c7fad4ebf2998db8e27df7

        SHA512

        ff7fe71f28ec98896fcedcce9d76e4d5a055eac3bdf9db938c913085c351c4cd2612bc61e3ca10d60d93d258697a961da2add6f5d3aff9685a7cf9ac2c43ac8d

        Download Submit

      • \Windows\SysWOW64\fsutk.dll
        Filesize

        116KB

        MD5

        d7e31cf0efcfa901edc5ffffad2ae2dd

        SHA1

        d3d0f50f795e703a7cf25cb46544496984bb075a

        SHA256

        0797cf86c6688f86db529bdb23cc959add9e6b92922132fc3eb2d1516bef0959

        SHA512

        932ca49084e94f4f72c4a9c3ffe4b584e8fe9568918a69e0e80ae443b99c3a2aa007415ec5a2ef348cef408f896db0e0988fd537d6438f75475b79a9a430cc1b

        Download Submit

      • \Windows\SysWOW64\liprip.dll
        Filesize

        84KB

        MD5

        757654f388fbf71cc3fb59bf59f38f03

        SHA1

        7624e94dbdf32bf2aeb16f715ba5604e3bdd39a0

        SHA256

        bfa38c01611eff9b4a80caa5e70e9f0df519b2aa010de7e9c6a986c37e296e88

        SHA512

        717e9f47e94f80dfc409445b2a596c2c5199669b6d11cb4a7b6dced5d5b65f1cc87bf17f0f6d443ed288844da5bdea938c77680a10a332131fd0f554d8004f95

        Download Submit

      • memory/1312-63-0x0000000000150000-0x0000000000170000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1504-56-0x0000000000000000-mapping.dmp

        Download

      • memory/1588-64-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

        Filesize

        8KB

        Download