Overview

overview

9

Static

static

637fc2260e...ac.exe

windows7-x64

9

637fc2260e...ac.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    60s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2022 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe

  • Size

    686KB

  • MD5

    3a727e40ad724fb8dd9cfbc82b0f4d90

  • SHA1

    802544ecc7add1e5248dbbce59e21b5f248a9fcc

  • SHA256

    637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac

  • SHA512

    402c421727810717d94ffa2acdb8e57171284c1e8413f0363d49bd988b4575d3b8ee5472b0673c747defcfc51323c6d8492d18ed216d3212eee71fae996167e4

  • SSDEEP

    12288:KwWXgoYk/6Ih6EPvj18RNwpkVo4LfQSYBus9cbxOvBY7ms7vKpnMj5pxHqZGxX:tWw1OkEPb18wYo4LfQBn9iUvm7ms4Kxr

Score
9/10
adwarediscoveryexploitpersistencestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Drops file in Drivers directory 1 IoCs
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 5 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe
    "C:\Users\Admin\AppData\Local\Temp\637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\wshtcpip.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2000
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:744
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\midimap.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:844
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:616
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      2⤵
      • Deletes itself
      PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

File Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
    Filesize

    181B

    MD5

    1391ac37e7f2f0818d37fadce1cec329

    SHA1

    0fb505a17893daa666381f72bb2233ae36655378

    SHA256

    5a1275a4b28cf2716531c05483c5b5f87c3e9185ff16ae00953039732cd899f6

    SHA512

    b1265afe6179d77616a51fddba71451c34a70748cceb7da9ef97ca82d69b6d0af064fdb6daf64367535859c59b1d9d1cfb597c97d0f28b403d7e94111988ee27

    Download Submit
  • \Users\Admin\AppData\Local\Temp\u7UwruIi.dll
    Filesize

    4.8MB

    MD5

    c6c05e5ebe47d0bc30af7f48aefea124

    SHA1

    b3c9c4a4ac61c8e333221d75e740741ec92f784b

    SHA256

    73ebfba01e135e16740a987f8d963da82835ef4b9da1acbc6d23ba0b2a27f610

    SHA512

    f5a28373bf96aa4a5648ef53c46f887c20401a33525c5745230a79cf9710ef247b80ee13ae5a3d40264d621bd2cfd7dd984ecc1537218a14593b1f5dbc9260c7

    Download Submit
  • \Windows\SysWOW64\wshtcpip.dll
    Filesize

    19KB

    MD5

    da88060551ceb258e9e68b200cae73a0

    SHA1

    12a8617edf52166841c47aa88b2182bbb713d251

    SHA256

    819c5927a4e94fb9019218224adcf3da50d176ca10409a9d2521227daef4542e

    SHA512

    42bdba9347a867c376dd36f5b505a1f85c242b8b9ce056cc2868440c66cac29a9d5990e15b806008a2ec21ef93c71633a6ef1f9aeb888a3e04fa5375782eb53e

    Download Submit
  • memory/616-62-0x0000000000000000-mapping.dmp
    Download
  • memory/744-57-0x0000000000000000-mapping.dmp
    Download
  • memory/844-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1200-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1756-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1808-67-0x0000000000000000-mapping.dmp
    Download
  • memory/2000-56-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-58-0x0000000001000000-0x0000000001698000-memory.dmp
    Filesize

    6.6MB

    Download
  • memory/2004-65-0x0000000001000000-0x0000000001698000-memory.dmp
    Filesize

    6.6MB

    Download
  • memory/2004-66-0x00000000003C0000-0x00000000003E0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2004-64-0x00000000719C1000-0x00000000719C5000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-59-0x00000000003C0000-0x00000000003E0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2004-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2004-70-0x0000000001000000-0x0000000001698000-memory.dmp
    Filesize

    6.6MB

    Download
  • memory/2004-71-0x0000000010000000-0x00000000105DF000-memory.dmp
    Filesize

    5.9MB

    Download