Overview

overview

8

Static

static

87771b930f...d6.exe

windows7-x64

87771b930f...d6.exe

windows10-2004-x64

Analysis

  • max time kernel
    61s
  • max time network
    91s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23/11/2022, 23:36

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    87771b930f12658f65736e69206df44218de3a003958d76f62e8031aeda6dfd6.exe

  • Size

    244KB

  • MD5

    4496578bd5fb9153b6dca335b1a89be6

  • SHA1

    65e635385fccafbe495bd36db14b3b0098fe4763

  • SHA256

    87771b930f12658f65736e69206df44218de3a003958d76f62e8031aeda6dfd6

  • SHA512

    7a2d3e49070a1169045e2a9cbc10b859938b322a3f6cfb4b7fbf01f78972e1d9e116178e37838b2649f3661a884afa5a798cf7fb8c92290f60889d439924cc8e

  • SSDEEP

    3072:CwJI/eenD+PvsD4sjyiacgdYVzdbxiQUjSf722ZYvOSnDcPdwa1u6Bjnqw:CL/eeqPDxia5YAQUjC722FCJ1Qj9

Score
8/10
adwarepersistencestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Modifies data under HKEY_USERS 49 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87771b930f12658f65736e69206df44218de3a003958d76f62e8031aeda6dfd6.exe
    "C:\Users\Admin\AppData\Local\Temp\87771b930f12658f65736e69206df44218de3a003958d76f62e8031aeda6dfd6.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\yfm.exe
      "C:\Users\Admin\AppData\Local\Temp\yfm.exe"
      2⤵
      • Executes dropped EXE
      • Sets DLL path for service in the registry
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:480
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:980
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1772
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1696

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\yfm.exe
              Filesize

              20KB

              MD5

              6d503f46ffe12541109dacb2d764ab67

              SHA1

              332ce950448830b28e455308be7f5dd68840264f

              SHA256

              63986c2f76b3160039635370b08483e35afb29b934e527d80aa93386d27e99a3

              SHA512

              f1dcc6c74366284ee3216f15298976ac51f51955d20954e096709a6da35ab3fef9287b06eff6da0f27d7fbb434cbadd742f24756d9a67adbce5dac87a5d7ea00

              Download Submit

            • C:\Windows\SysWOW64\fsutk.dll
              Filesize

              116KB

              MD5

              b7a2b15f6cd9a16e1fe15b867a6b40ed

              SHA1

              7673d0372b5a1937bbd52826107a4385b7a3da08

              SHA256

              78be4f2d1902e7d9194e14a08c792466c13464f87b21aa0f2bbac476edd05db5

              SHA512

              7f08af47ba878db854ddfe87f6c96204f8675346bec39525d947ebbbd59ccb662032c518d64e0586b4dc5ee499e07042a00e4a4cacbe6bf74bea57e3dff387fb

              Download Submit

            • \??\c:\$Recycle.bin\int.dat
              Filesize

              220KB

              MD5

              c65cf5d4fa3670b060713b49a46fbede

              SHA1

              315941ab4859008e7d3805d6e3b38a2476a98295

              SHA256

              ed3cc82856e36aee10b0da04fcce96c58a423a9f91cd915fe0e66cc10991d73b

              SHA512

              83ded1cd97b3863b7aaba218ee5ea6f32a265b13aa57c64518efa555fcde854ce809d599b753c82816f2e74be72235d10fbd8950bb2507e18a54b3177a76d7f0

              Download Submit

            • \??\c:\windows\SysWOW64\liprip.dll
              Filesize

              84KB

              MD5

              624a66664fd5c1648a515495f14b1e22

              SHA1

              601d3dd45ea5e9bc217e309183ec6c99281150df

              SHA256

              5c6551e59177b93111fe35e760842184004db46c3fdb12b0e62f6fbb13efa451

              SHA512

              4f821eec33d49e77ca383ebd3344ff7acf30ffc8f67058d14e1e164a8c6848a90203ef6f63b848ede40b0c585a3542489b1058dfe28da58c0fa6d3bc6118035f

              Download Submit

            • \Users\Admin\AppData\Local\Temp\yfm.exe
              Filesize

              20KB

              MD5

              6d503f46ffe12541109dacb2d764ab67

              SHA1

              332ce950448830b28e455308be7f5dd68840264f

              SHA256

              63986c2f76b3160039635370b08483e35afb29b934e527d80aa93386d27e99a3

              SHA512

              f1dcc6c74366284ee3216f15298976ac51f51955d20954e096709a6da35ab3fef9287b06eff6da0f27d7fbb434cbadd742f24756d9a67adbce5dac87a5d7ea00

              Download Submit

            • \Users\Admin\AppData\Local\Temp\yfm.exe
              Filesize

              20KB

              MD5

              6d503f46ffe12541109dacb2d764ab67

              SHA1

              332ce950448830b28e455308be7f5dd68840264f

              SHA256

              63986c2f76b3160039635370b08483e35afb29b934e527d80aa93386d27e99a3

              SHA512

              f1dcc6c74366284ee3216f15298976ac51f51955d20954e096709a6da35ab3fef9287b06eff6da0f27d7fbb434cbadd742f24756d9a67adbce5dac87a5d7ea00

              Download Submit

            • \Windows\SysWOW64\fsutk.dll
              Filesize

              116KB

              MD5

              b7a2b15f6cd9a16e1fe15b867a6b40ed

              SHA1

              7673d0372b5a1937bbd52826107a4385b7a3da08

              SHA256

              78be4f2d1902e7d9194e14a08c792466c13464f87b21aa0f2bbac476edd05db5

              SHA512

              7f08af47ba878db854ddfe87f6c96204f8675346bec39525d947ebbbd59ccb662032c518d64e0586b4dc5ee499e07042a00e4a4cacbe6bf74bea57e3dff387fb

              Download Submit

            • \Windows\SysWOW64\liprip.dll
              Filesize

              84KB

              MD5

              624a66664fd5c1648a515495f14b1e22

              SHA1

              601d3dd45ea5e9bc217e309183ec6c99281150df

              SHA256

              5c6551e59177b93111fe35e760842184004db46c3fdb12b0e62f6fbb13efa451

              SHA512

              4f821eec33d49e77ca383ebd3344ff7acf30ffc8f67058d14e1e164a8c6848a90203ef6f63b848ede40b0c585a3542489b1058dfe28da58c0fa6d3bc6118035f

              Download Submit

            • memory/980-63-0x0000000000180000-0x00000000001A0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1772-64-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

              Filesize

              8KB

              Download