Overview

overview

8

Static

static

a59f305754...b0.exe

windows7-x64

8

a59f305754...b0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    70s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2022 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a59f30575426a07fb1f5c019f36974d3079db55f5099e25328277d94df7acab0.exe

  • Size

    329KB

  • MD5

    0ef82fe8d967a62f5b70ddf2d709ca90

  • SHA1

    6ac5337b2c4fae4299c95e3173d16273e6faf11a

  • SHA256

    a59f30575426a07fb1f5c019f36974d3079db55f5099e25328277d94df7acab0

  • SHA512

    774a4aed635dfc4fbaf5c1b26baea1dbe5b59b16bdf561ee3c4d1675f6e16b45fd5c506262ffb052a00003c15ded93ff9b3e1f662dd977ab474835a21265ef04

  • SSDEEP

    6144:xqpxvlACym6wGGWFGDwZyoJ3fzBeM6SpktqHQI6mVk8cL3/CzYjsHh:xqjvlA06wLBHAf9eMvHwmVkhL36zYwHh

Score
8/10
adwarediscoveryexploitpersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 4 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a59f30575426a07fb1f5c019f36974d3079db55f5099e25328277d94df7acab0.exe
    "C:\Users\Admin\AppData\Local\Temp\a59f30575426a07fb1f5c019f36974d3079db55f5099e25328277d94df7acab0.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3380
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\wshtcpip.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3632
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2704
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\midimap.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3452
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3916
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      2⤵
        PID:3720

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Browser Extensions

    1
    T1176

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    File Permissions Modification

    1
    T1222

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      Filesize

      181B

      MD5

      436b57917ff009c9c375d8a009439824

      SHA1

      131bfda4cc299ce06e355491bfbfe656885d8b1b

      SHA256

      921219d3247c7a126e552c4a64f2b5b88df97d6fb74719898c3f3ca4993da9db

      SHA512

      fde79a02d6903e98cb09d7ab1b66ab6768cbf96e161d20d4034942a6b32943a2e19356f752ba9324f2a3ea06d3735f3ccd002b4f4fca1e6e232daf6478ca41ec

      Download Submit
    • memory/832-139-0x0000000000000000-mapping.dmp
      Download
    • memory/1972-133-0x0000000000590000-0x00000000005B0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1972-134-0x0000000001000000-0x0000000001168000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1972-135-0x0000000000590000-0x00000000005B0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1972-143-0x0000000001000000-0x0000000001168000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1972-132-0x0000000001000000-0x0000000001168000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2704-138-0x0000000000000000-mapping.dmp
      Download
    • memory/3380-136-0x0000000000000000-mapping.dmp
      Download
    • memory/3452-140-0x0000000000000000-mapping.dmp
      Download
    • memory/3632-137-0x0000000000000000-mapping.dmp
      Download
    • memory/3720-142-0x0000000000000000-mapping.dmp
      Download
    • memory/3916-141-0x0000000000000000-mapping.dmp
      Download