Overview

overview

8

Static

static

4e04cec2f2...76.exe

windows7-x64

8

4e04cec2f2...76.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    59s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2022 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e04cec2f2b9b6320b9978693b973cb2905fddb8fdf86f45fb11c360e30dae76.exe

  • Size

    204KB

  • MD5

    0cf17a776f951d6993c5adc9a0bcf186

  • SHA1

    6a11aa3f62c19fa61812b684533457ef62af4231

  • SHA256

    4e04cec2f2b9b6320b9978693b973cb2905fddb8fdf86f45fb11c360e30dae76

  • SHA512

    4b4677631a1b45a79038b8901adc69e07fc3c539c1aaf313e0df331608d3d5a41667c1ebb8b584a19f2ee10282ef5dabcb837bc82c2a2787b1a100681f4d52d6

  • SSDEEP

    3072:+PSBxK5PidCBrz5tdr/lOe1+zq979pMsTN7f60DPPsiNdkyZ8nbJFvCZ:PAlKCBvZlONCN7fJ7tNStn

Score
8/10
adwarepersistencestealerupx

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 6 IoCs
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e04cec2f2b9b6320b9978693b973cb2905fddb8fdf86f45fb11c360e30dae76.exe
    "C:\Users\Admin\AppData\Local\Temp\4e04cec2f2b9b6320b9978693b973cb2905fddb8fdf86f45fb11c360e30dae76.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s /c C:\Windows\system32\kakubi.dll
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:1192
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\Coor.bat
      2⤵
      • Deletes itself
      PID:1036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Coor.bat
    Filesize

    178B

    MD5

    19bb6a76db598f3dbaf60617be50f23d

    SHA1

    21ee9d9a02bd13f3fdf7d43db28ffd13ddc55155

    SHA256

    3e0a89bc419413909a43935f9a2601ca8f89e549104697006a39f3a7c61d7bfe

    SHA512

    0d58745922a6400a75a131de4b3f8ae5afe14107330a33cf52f11c2e4b2e85ab3837e3e72ca1bf69700128f2e6214e1c2d270241ed76c1f6623f438bd1cef3b6

    Download Submit

  • C:\Windows\SysWOW64\kakubi.dll
    Filesize

    204KB

    MD5

    aa839ff1236ea872e77bee6c39a4f843

    SHA1

    a5a3ca1bb0c8620a5a64ffe2d9fc757563b524b1

    SHA256

    3655f0d4b70d11681511c4b15a596444ffc6c02bab75af295187ed632d6a181d

    SHA512

    ad959daebc4e5e7c78e6e41d940eea6bfa5ac1946a077943c0554744dda57d947e2ba18b5409639ed04090316d20ac5690fa2cbea23ff911bd60480d4c27c85a

    Download Submit

  • \Windows\SysWOW64\kakubi.dll
    Filesize

    204KB

    MD5

    aa839ff1236ea872e77bee6c39a4f843

    SHA1

    a5a3ca1bb0c8620a5a64ffe2d9fc757563b524b1

    SHA256

    3655f0d4b70d11681511c4b15a596444ffc6c02bab75af295187ed632d6a181d

    SHA512

    ad959daebc4e5e7c78e6e41d940eea6bfa5ac1946a077943c0554744dda57d947e2ba18b5409639ed04090316d20ac5690fa2cbea23ff911bd60480d4c27c85a

    Download Submit

  • memory/1036-65-0x0000000000000000-mapping.dmp

    Download

  • memory/1192-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1604-57-0x0000000000250000-0x00000000002D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1604-58-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1604-54-0x0000000075601000-0x0000000075603000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1604-63-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1604-64-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1604-56-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1604-66-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1604-55-0x0000000000250000-0x00000000002D0000-memory.dmp

    Filesize

    512KB

    Download