Overview

overview

8

Static

static

a59f305754...b0.exe

windows7-x64

8

a59f305754...b0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    60s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2022 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a59f30575426a07fb1f5c019f36974d3079db55f5099e25328277d94df7acab0.exe

  • Size

    329KB

  • MD5

    0ef82fe8d967a62f5b70ddf2d709ca90

  • SHA1

    6ac5337b2c4fae4299c95e3173d16273e6faf11a

  • SHA256

    a59f30575426a07fb1f5c019f36974d3079db55f5099e25328277d94df7acab0

  • SHA512

    774a4aed635dfc4fbaf5c1b26baea1dbe5b59b16bdf561ee3c4d1675f6e16b45fd5c506262ffb052a00003c15ded93ff9b3e1f662dd977ab474835a21265ef04

  • SSDEEP

    6144:xqpxvlACym6wGGWFGDwZyoJ3fzBeM6SpktqHQI6mVk8cL3/CzYjsHh:xqjvlA06wLBHAf9eMvHwmVkhL36zYwHh

Score
8/10
adwarediscoveryexploitpersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 4 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a59f30575426a07fb1f5c019f36974d3079db55f5099e25328277d94df7acab0.exe
    "C:\Users\Admin\AppData\Local\Temp\a59f30575426a07fb1f5c019f36974d3079db55f5099e25328277d94df7acab0.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\wshtcpip.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1536
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1528
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\midimap.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1344
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:940
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      2⤵
      • Deletes itself
      PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

File Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
    Filesize

    181B

    MD5

    436b57917ff009c9c375d8a009439824

    SHA1

    131bfda4cc299ce06e355491bfbfe656885d8b1b

    SHA256

    921219d3247c7a126e552c4a64f2b5b88df97d6fb74719898c3f3ca4993da9db

    SHA512

    fde79a02d6903e98cb09d7ab1b66ab6768cbf96e161d20d4034942a6b32943a2e19356f752ba9324f2a3ea06d3735f3ccd002b4f4fca1e6e232daf6478ca41ec

    Download Submit
  • memory/432-62-0x0000000000000000-mapping.dmp
    Download
  • memory/940-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1008-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1344-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1528-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1536-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1544-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1964-54-0x0000000076411000-0x0000000076413000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1964-57-0x0000000001000000-0x0000000001168000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1964-58-0x0000000000220000-0x0000000000240000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1964-56-0x0000000000220000-0x0000000000240000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1964-66-0x0000000001000000-0x0000000001168000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1964-55-0x0000000001000000-0x0000000001168000-memory.dmp
    Filesize

    1.4MB

    Download