Overview

overview

8

Static

static

57221a2e2f...54.exe

windows7-x64

8

57221a2e2f...54.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2022 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

  • Size

    328KB

  • MD5

    05bef863589d9acccb2f7c522b4c5b00

  • SHA1

    e318054d17d150fa7e186aaf80e6721ed3e83e21

  • SHA256

    57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54

  • SHA512

    291a5dd278577047ae7c2755ab14129db183763ba7f646e01b0bbdb2856a00d65bd78d62404c0504169571acc6b224009b93fa898f90dabfc8d9717013b57aae

  • SSDEEP

    6144:eyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:eCemx0vN3HKGi6sYjJLUGGtedud5tr7

Score
8/10
adwarediscoveryexploitpersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 4 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
    "C:\Users\Admin\AppData\Local\Temp\57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\wshtcpip.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:336
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1920
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\midimap.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:820
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3348
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      2⤵
        PID:3848

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      Filesize

      181B

      MD5

      a3ed440e3ac56eca32bcf9107d1bb4c6

      SHA1

      2373eb0d628a3b88ab776dd17f040e0a7203fde4

      SHA256

      6cfe830cdf4310cce0562f2faa7b834ca569c0b1da8dc30e25cb15c5cfb55972

      SHA512

      45092cbca84b098ebad5ec3811db3d0926dad4770ee952e6954e8cf0cae4a3f5e63ab083addd01f50d5585b15ccc22a8cd2887b5889dd528fb9c4a6e40ba678a

      Download Submit

    • memory/336-137-0x0000000000000000-mapping.dmp

      Download

    • memory/544-139-0x0000000000000000-mapping.dmp

      Download

    • memory/820-140-0x0000000000000000-mapping.dmp

      Download

    • memory/1920-138-0x0000000000000000-mapping.dmp

      Download

    • memory/3348-141-0x0000000000000000-mapping.dmp

      Download

    • memory/3848-142-0x0000000000000000-mapping.dmp

      Download

    • memory/4532-136-0x0000000000000000-mapping.dmp

      Download

    • memory/4944-135-0x00000000004C0000-0x00000000004E0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4944-134-0x0000000001000000-0x000000000116A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4944-132-0x0000000001000000-0x000000000116A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4944-143-0x0000000001000000-0x000000000116A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4944-133-0x00000000004C0000-0x00000000004E0000-memory.dmp

      Filesize

      128KB

      Download