Overview

overview

6

Static

static

0faa3ec813...28.exe

windows7-x64

6

0faa3ec813...28.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    175s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 10:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe

  • Size

    280KB

  • MD5

    12dd15c9f7cfb47a66b1dac85538a1c8

  • SHA1

    90632644dce5818b5a4c4e582a6ba58b0a713662

  • SHA256

    0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728

  • SHA512

    09f619b1e5b98355f59d2a9723786723cc92fd755e6804a3ef4f0f004042293f89f451d8964f2bbef001c825d88cf633552fb3fb4639702655131849bf46515b

  • SSDEEP

    6144:SbRKBQFcxM2msySPRIX8lSr8dahmYqKPNYYrADbfETqU6Qmuk3P:EIuOxM4RIslSQdBKNJrA3flFuE

Score
6/10
adwarestealer

Malware Config

Signatures

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Windows directory 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe
    "C:\Users\Admin\AppData\Local\Temp\0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe"
    1⤵
    • Installs/modifies Browser Helper Object
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADDHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADDHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
          PID:116
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s C:\Windows\jpfw2642.dll
        2⤵
          PID:1476

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/116-135-0x0000000000000000-mapping.dmp
        Download
      • memory/1476-136-0x0000000000000000-mapping.dmp
        Download
      • memory/2384-134-0x0000000000000000-mapping.dmp
        Download