Overview

overview

9

Static

static

637fc2260e...ac.exe

windows7-x64

9

637fc2260e...ac.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2022 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe

  • Size

    686KB

  • MD5

    3a727e40ad724fb8dd9cfbc82b0f4d90

  • SHA1

    802544ecc7add1e5248dbbce59e21b5f248a9fcc

  • SHA256

    637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac

  • SHA512

    402c421727810717d94ffa2acdb8e57171284c1e8413f0363d49bd988b4575d3b8ee5472b0673c747defcfc51323c6d8492d18ed216d3212eee71fae996167e4

  • SSDEEP

    12288:KwWXgoYk/6Ih6EPvj18RNwpkVo4LfQSYBus9cbxOvBY7ms7vKpnMj5pxHqZGxX:tWw1OkEPb18wYo4LfQBn9iUvm7ms4Kxr

Score
8/10
adwarediscoveryexploitpersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 5 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe
    "C:\Users\Admin\AppData\Local\Temp\637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\wshtcpip.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3900
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3536
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\midimap.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4804
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4780
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      2⤵
        PID:4112

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Browser Extensions

    1
    T1176

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    File Permissions Modification

    1
    T1222

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      Filesize

      181B

      MD5

      1391ac37e7f2f0818d37fadce1cec329

      SHA1

      0fb505a17893daa666381f72bb2233ae36655378

      SHA256

      5a1275a4b28cf2716531c05483c5b5f87c3e9185ff16ae00953039732cd899f6

      SHA512

      b1265afe6179d77616a51fddba71451c34a70748cceb7da9ef97ca82d69b6d0af064fdb6daf64367535859c59b1d9d1cfb597c97d0f28b403d7e94111988ee27

      Download Submit
    • memory/1572-140-0x0000000001000000-0x0000000001698000-memory.dmp
      Filesize

      6.6MB

      Download
    • memory/1572-144-0x0000000001000000-0x0000000001698000-memory.dmp
      Filesize

      6.6MB

      Download
    • memory/1572-132-0x0000000001000000-0x0000000001698000-memory.dmp
      Filesize

      6.6MB

      Download
    • memory/1572-136-0x0000000000D20000-0x0000000000D40000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1572-141-0x0000000000D20000-0x0000000000D40000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3536-135-0x0000000000000000-mapping.dmp
      Download
    • memory/3900-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4112-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4780-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4804-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4808-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4964-133-0x0000000000000000-mapping.dmp
      Download