Overview

overview

8

Static

static

811b6895d5...4f.exe

windows7-x64

8

811b6895d5...4f.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    114s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2022 02:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    811b6895d597c39755fff8ae564cbfd728104d98628e6a60548213f59096334f.exe

  • Size

    5.6MB

  • MD5

    5ee93522ebda740a95346da12c72864a

  • SHA1

    a416c6cfc3f4e154a38018dda54d34665add7351

  • SHA256

    811b6895d597c39755fff8ae564cbfd728104d98628e6a60548213f59096334f

  • SHA512

    bbe6d94a0ac28315220c83d28b0356949143c7ac5ad79b44091cf5273159c8d35d27a1308660d23a1339a3afa2d82b153518a4450842fbca6cc4b92a33b96e5a

  • SSDEEP

    98304:WRQe6QEh6d44bfzj05xCjHO2oLQF2l/9GA55MTc3FZAa1MfsipxiIaPtBkOfDYUm:WRl6QEh3yrA5Y7L9F2iWe43jqfs+xOFg

Score
8/10
adwarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Program Files directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\811b6895d597c39755fff8ae564cbfd728104d98628e6a60548213f59096334f.exe
    "C:\Users\Admin\AppData\Local\Temp\811b6895d597c39755fff8ae564cbfd728104d98628e6a60548213f59096334f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Program Files (x86)\xigua\xigua.exe
      "C:\Program Files (x86)\xigua\xigua.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:4696
    • C:\Program Files (x86)\xigua\xiguaupdate.exe
      "C:\Program Files (x86)\xigua\xiguaupdate.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://123.a101.cc/u.php?id=89
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1256
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1256 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4100

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\xigua\xigua.exe
    Filesize

    4.1MB

    MD5

    88861c217f7b46f94e54691cb5ca2fa6

    SHA1

    e87394d425bd0727afe6e8809b14872549621ae3

    SHA256

    5b321000274d438aefad568ee5a3f4ba8570e64c3cfdeef684513276ad26fdbd

    SHA512

    b93375f1d50d77f8793d5e679372ae870463243f032f860004f56f4c6911ab46705ff269631917e4c08d9210892867592ec8505403058f567d49cdef33b97a53

    Download Submit

  • C:\Program Files (x86)\xigua\xigua.exe
    Filesize

    4.1MB

    MD5

    88861c217f7b46f94e54691cb5ca2fa6

    SHA1

    e87394d425bd0727afe6e8809b14872549621ae3

    SHA256

    5b321000274d438aefad568ee5a3f4ba8570e64c3cfdeef684513276ad26fdbd

    SHA512

    b93375f1d50d77f8793d5e679372ae870463243f032f860004f56f4c6911ab46705ff269631917e4c08d9210892867592ec8505403058f567d49cdef33b97a53

    Download Submit

  • C:\Program Files (x86)\xigua\xiguaupdate.exe
    Filesize

    352KB

    MD5

    a7f2c7f3db397bafcdc6f8403a992823

    SHA1

    9c16eefb8ded7599b2c5065dee7e5da8c993531b

    SHA256

    78ac7e26ab62a16a53a350524a6eb52396dce7d63efd14c2a0fe916e11d8fe30

    SHA512

    024f0842aa10297c4afc9271eb88e180dc4656f1c0408fce0436bc0f1faf09130286be64cddc56a52390963f6ee699f4245ef29a281166afe9a61500342d0799

    Download Submit

  • C:\Program Files (x86)\xigua\xiguaupdate.exe
    Filesize

    352KB

    MD5

    a7f2c7f3db397bafcdc6f8403a992823

    SHA1

    9c16eefb8ded7599b2c5065dee7e5da8c993531b

    SHA256

    78ac7e26ab62a16a53a350524a6eb52396dce7d63efd14c2a0fe916e11d8fe30

    SHA512

    024f0842aa10297c4afc9271eb88e180dc4656f1c0408fce0436bc0f1faf09130286be64cddc56a52390963f6ee699f4245ef29a281166afe9a61500342d0799

    Download Submit

  • C:\ProgramData\tools\daohang.ico
    Filesize

    14KB

    MD5

    2b80eb58904a9c76c146128c8039534c

    SHA1

    3c34b4c4ee5036ebef3d411c9c16dcb6127718e1

    SHA256

    916fddaa8b1b8418b166668dd1d944c654e1d475b795d2dfb1a863d757f88616

    SHA512

    af18c547228f491e14b25c7a5d3e6e6496cbce6d1128e271028af83f82683c3e8bab8bd475d01c464a8b6524e123f38e2c97b7feb623f839284a3a9ebca5ad3d

    Download Submit

  • C:\ProgramData\tools\ie8.ico
    Filesize

    17KB

    MD5

    c3e81d293ff596acd5596573c5bc0d92

    SHA1

    24f7eb541cf59abea6352b53a0b26392f9956017

    SHA256

    56a625bd2b7aee97368e92154c25da550dad3067b4c2f7f934cba21f40fa5f96

    SHA512

    e9b150e46493825ffa9aae71fe98579fc04e517398cb97bb473c98544b49022a0851928c95c9f2114bf40b6e113165b5bae5184a08fb18850550ee0af7515ea6

    Download Submit

  • C:\ProgramData\tools\sougou_search.ico
    Filesize

    17KB

    MD5

    d9f97bbefebd7f6680a5cd7e428e7c6e

    SHA1

    b8f27fd1cecd21a0d893cd6c4d2900fcf5e657a9

    SHA256

    bb445582d1ea6728c3ef6836d0523b3d36b36f3ebc1206cdfcde1ef92493f506

    SHA512

    5808b085bdb028dae82434b255a0b1da3391409942899ecd4a7a01734e617f5e11a28d56e01d82aace80e5e37f395f43113cc8e96b532726388818f3c41d7f5d

    Download Submit

  • C:\ProgramData\tools\taobao.ico
    Filesize

    17KB

    MD5

    530ea7b66b1ada5f28cc390d95c124be

    SHA1

    48f3e4bf67fff6958c27632d08c93b3e384a7406

    SHA256

    42a6eda959bcdf843ab794cfd26755baaacccd53482a3e5773155516c2d1b585

    SHA512

    155915195f006a3a971b7b923e858558238f821b5b990a28d6daa1decf57ed4ae0dd06ba80dbc37cac1b693cdfcd5b99a03fb9fa892dfd30b07bb1de112a3f78

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    046bedf3b97e782edc5343dc24a1c485

    SHA1

    ebad04906d01fdb00719463e729f201a043433ae

    SHA256

    4bb13178dccf62921053ef1b62f9bdb994dfd0520741873a60ac2c1484df78ca

    SHA512

    18203014488892166d7c331f8239c1c030fd9831b8040d51b3fdf3d887f867380ff639ccac26e8751b7b13d1dc83e2931f96019783695e7a93c4348046c9fabf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    a20c2059e79cebcc3e1d89c897d64004

    SHA1

    78e473a7050f93c5429c87113465e983b66eac3b

    SHA256

    8458b62cd1dfed984ee03ce5efe66f96ce5fa3297dce4f8fa71e38a5dd1202cb

    SHA512

    34377d69aea01b4c18765dd0b3a23bf2f99e47429335cbaeff9594148cb6620abcfd011b5b2283e79c9369b47370e5443b7d6f6193314764c69e544d68ed5462

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsb7E4F.tmp\System.dll
    Filesize

    11KB

    MD5

    bf712f32249029466fa86756f5546950

    SHA1

    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    SHA256

    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    SHA512

    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsmCBA4.tmp\System.dll
    Filesize

    11KB

    MD5

    bf712f32249029466fa86756f5546950

    SHA1

    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    SHA256

    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    SHA512

    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsmCBA4.tmp\nsTools.dll
    Filesize

    260KB

    MD5

    6ae9eaa868bcb42ae79bf9701b18e7ec

    SHA1

    80bd26a403aaee21fc2b9af0d5585a768ea3acd0

    SHA256

    d4fb435c03841d4911cba57bd01212156d4a0ab4554e5a25b3604e43b3622fb5

    SHA512

    06c60bb27b39064c237e52d3ccea2371953fc454321eab2046ffcb5cc9771206accb0124fdf1726d5cf821906ee05e03dc7ae9ca2534f6543e585382a9c0a688

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsw7351.tmp\System.dll
    Filesize

    11KB

    MD5

    bf712f32249029466fa86756f5546950

    SHA1

    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    SHA256

    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    SHA512

    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    Download Submit

  • memory/4696-133-0x0000000000000000-mapping.dmp

    Download

  • memory/4920-137-0x0000000000000000-mapping.dmp

    Download