Overview

overview

8

Static

static

5e0534239f...fb.exe

windows7-x64

8

5e0534239f...fb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2022 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e0534239f04a03e7a86a9230c77753ac3a87c1b5f36eb82faa8cf55846f0cfb.exe

  • Size

    329KB

  • MD5

    0a3d897064bc8e8f8ead808689a7ef80

  • SHA1

    6532f8bfe1d1fbcabbc146d5f84d64dd68301c94

  • SHA256

    5e0534239f04a03e7a86a9230c77753ac3a87c1b5f36eb82faa8cf55846f0cfb

  • SHA512

    434fc32a74537205cd6de0aeaf82678e9dcc137dec87fa320386bd4d84d76576ee9c0d8526b3fc560aaea91990b02d1e97b1c8160250c6c7badbf5fdd716748b

  • SSDEEP

    6144:YqpxvlACym6wGGWFGDwZyoJ3fzBeM6SpktqHQI6mVk8cL3/CzYjsHh:YqjvlA06wLBHAf9eMvHwmVkhL36zYwHh

Score
8/10
adwarediscoveryexploitpersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 4 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e0534239f04a03e7a86a9230c77753ac3a87c1b5f36eb82faa8cf55846f0cfb.exe
    "C:\Users\Admin\AppData\Local\Temp\5e0534239f04a03e7a86a9230c77753ac3a87c1b5f36eb82faa8cf55846f0cfb.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3124
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\wshtcpip.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4932
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4648
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\midimap.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3016
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1060
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      2⤵
        PID:2140

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Browser Extensions

    1
    T1176

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    File Permissions Modification

    1
    T1222

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      Filesize

      181B

      MD5

      69dc86098b55f2d298250d14088f017f

      SHA1

      e945938c90cedaa580b85306666f96d9211a316d

      SHA256

      ece1a44f77f1ea604929c6a7ca120341114447342784090ce7e62cc4ce121c44

      SHA512

      254baab5f6e4849de7608c987630aa1339c4ab65d211e816b7d44e0c9bc2d58541a0d49380174f36d7c79d940049a5e4f2769d1d9d85b20934ef870c21ebd779

      Download Submit
    • memory/1060-141-0x0000000000000000-mapping.dmp
      Download
    • memory/2140-142-0x0000000000000000-mapping.dmp
      Download
    • memory/3016-140-0x0000000000000000-mapping.dmp
      Download
    • memory/3124-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4584-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4648-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4932-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4988-132-0x0000000001000000-0x0000000001168000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/4988-135-0x0000000000650000-0x0000000000670000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4988-134-0x0000000001000000-0x0000000001168000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/4988-143-0x0000000001000000-0x0000000001168000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/4988-133-0x0000000000650000-0x0000000000670000-memory.dmp
      Filesize

      128KB

      Download