Overview

overview

8

Static

static

52226fd06e...28.exe

windows7-x64

8

52226fd06e...28.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    197s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52226fd06e7703664829e22beee7fc0b7c3f51f8e5baaf066a6c22e80202d028.exe

  • Size

    2.1MB

  • MD5

    4f03e2f125ce3bf82000b709ca6cce01

  • SHA1

    8c0ab6247f127a6232745bd0432a4bedf070612c

  • SHA256

    52226fd06e7703664829e22beee7fc0b7c3f51f8e5baaf066a6c22e80202d028

  • SHA512

    7472a8157823f72efec5d205557b0ccd1d1e607af3cb745ff1865517cd82b705f64d8631fb184736f43d660fbdc3547ba20334ffee55012e192e85939f88841e

  • SSDEEP

    6144:6YHNNS4aXOxFYuDi8XSW2Uuk7UURyBAumEGWSYkCBStouz4FMxQyg:fnryO8w1wyAURyBLwWfkkzUS1yg

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 14 IoCs
  • Program crash 3 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\52226fd06e7703664829e22beee7fc0b7c3f51f8e5baaf066a6c22e80202d028.exe
    "C:\Users\Admin\AppData\Local\Temp\52226fd06e7703664829e22beee7fc0b7c3f51f8e5baaf066a6c22e80202d028.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Users\Admin\AppData\Local\Temp\raspptpdsp.exe
      "C:\Users\Admin\AppData\Local\Temp\raspptpdsp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\612B.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\RASPPT~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:1744
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASPPT~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:4380
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:1824
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASPPT~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:2984
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:4884
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASPPT~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:4604
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:4996
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASPPT~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:4092
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 928
        3⤵
        • Program crash
        PID:4136
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 924
        3⤵
        • Program crash
        PID:4264
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 932
        3⤵
        • Program crash
        PID:4212
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2852 -ip 2852
    1⤵
      PID:3504
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2852 -ip 2852
      1⤵
        PID:3248
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2852 -ip 2852
        1⤵
          PID:4940

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\612B.tmp.cmd
          Filesize

          168B

          MD5

          e7efc2c945a798b4dab3fe50f1524592

          SHA1

          0bb937ccd89e40c91c0e58b376873ef909fe805b

          SHA256

          624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

          SHA512

          e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\raspptpdsp.exe
          Filesize

          400KB

          MD5

          35c6928790ce08309af997654ed6d719

          SHA1

          a81b58b2171c6a728039dc493faaf2cab7d146a5

          SHA256

          7d9296ac474b991780b41f654b557e01ba93ae932ba717146e60c1b9ed579539

          SHA512

          3ae694a67d3a0f44729d54077e7c7259f608db258622fafa735e28ee9e73a0fb0e387e5cc923130cf6a15412050ace57fa9d4f7278c6df5cc7c4287efc79e752

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\raspptpdsp.exe
          Filesize

          400KB

          MD5

          35c6928790ce08309af997654ed6d719

          SHA1

          a81b58b2171c6a728039dc493faaf2cab7d146a5

          SHA256

          7d9296ac474b991780b41f654b557e01ba93ae932ba717146e60c1b9ed579539

          SHA512

          3ae694a67d3a0f44729d54077e7c7259f608db258622fafa735e28ee9e73a0fb0e387e5cc923130cf6a15412050ace57fa9d4f7278c6df5cc7c4287efc79e752

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          Filesize

          18KB

          MD5

          b3624dd758ccecf93a1226cef252ca12

          SHA1

          fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

          SHA256

          4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

          SHA512

          c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          Filesize

          18KB

          MD5

          b3624dd758ccecf93a1226cef252ca12

          SHA1

          fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

          SHA256

          4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

          SHA512

          c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          Filesize

          18KB

          MD5

          b3624dd758ccecf93a1226cef252ca12

          SHA1

          fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

          SHA256

          4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

          SHA512

          c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          Filesize

          18KB

          MD5

          b3624dd758ccecf93a1226cef252ca12

          SHA1

          fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

          SHA256

          4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

          SHA512

          c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

          Download Submit

        • memory/2852-137-0x0000000000400000-0x00000000022AB000-memory.dmp

          Filesize

          30.7MB

          Download

        • memory/2852-139-0x0000000000400000-0x00000000022AB000-memory.dmp

          Filesize

          30.7MB

          Download

        • memory/2852-138-0x0000000000400000-0x00000000022AB000-memory.dmp

          Filesize

          30.7MB

          Download

        • memory/2852-136-0x0000000008780000-0x00000000087AA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/2852-150-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/2852-135-0x0000000000400000-0x00000000022AB000-memory.dmp

          Filesize

          30.7MB

          Download