Overview

overview

8

Static

static

89accdfe65...85.exe

windows7-x64

8

89accdfe65...85.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    131s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89accdfe65e18999d57cf5a1eae7e2fe280f8d817ea6bf7b4d30c0ca20d71e85.exe

  • Size

    3.0MB

  • MD5

    91406e61fa3aa437c7efa66a4ea9ba0f

  • SHA1

    27c6f6a493dd74b0d5c52437b07f1ab31e5a2e57

  • SHA256

    89accdfe65e18999d57cf5a1eae7e2fe280f8d817ea6bf7b4d30c0ca20d71e85

  • SHA512

    5b141804e5806b87c298447c853ddcd37ac729200c91b1640eb00906224c5f0df10fd826c37bfa3cb886c82387bf4fb14e2e93762c24805a1a6bc3aaa2be97b1

  • SSDEEP

    49152:iaUrAj9PxbJ2zuAiBCUwH7SlFJ5DumdOsCeT4n61dvdeR7hx9xek6uxzmy:ia4Aj6iBCUwHujDbC1n61S7nJ6Az

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\89accdfe65e18999d57cf5a1eae7e2fe280f8d817ea6bf7b4d30c0ca20d71e85.exe
    "C:\Users\Admin\AppData\Local\Temp\89accdfe65e18999d57cf5a1eae7e2fe280f8d817ea6bf7b4d30c0ca20d71e85.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:560
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\cosstminn\KEI5_sFbPM.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\cosstminn\KEI5_sFbPM.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\cosstminn\KEI5_sFbPM.dat
    Filesize

    4KB

    MD5

    ce454201ca755e1e6438310a3c7b54e9

    SHA1

    c26213bd7debcc04546235934b044ee3fff03065

    SHA256

    7b9be20f9216d359c78666e7300e2c6078f201abc302eaa7ccbd6c667f0db8c7

    SHA512

    1b00d8dc510ea95c899c3c59969f455549db526a3a56c318bbfdfb437984397abc958066cb21aa6eee98b0741c2bc9427a0ff52133ab8b5e9ae153a72c7e0163

    Download Submit
  • C:\Program Files (x86)\cosstminn\KEI5_sFbPM.tlb
    Filesize

    3KB

    MD5

    3fdfaa71c68f31e83daf46b214ff8c89

    SHA1

    fe4a9d2172e9a94570f46fc151b94f90db08da77

    SHA256

    2d4e42ee22cf2171777f6f2aa232df7a2ad3445b6988ee2f2666ec2a863aca93

    SHA512

    392faf168a97d35fc4fa414844cae3662d231f18d5db55891e6cf281f34cef590cb94f6a650565b5b2bdf2c0899dc872c432106449604079f3283da241f2a100

    Download Submit
  • C:\Program Files (x86)\cosstminn\KEI5_sFbPM.x64.dll
    Filesize

    687KB

    MD5

    cd1a0489adc1f05fc31a65eb26e08c92

    SHA1

    95af9d7095d36dee3e4d2e2952ca1a199c2bb596

    SHA256

    b63804fa2e99e3bd6b8dac3e203cba731ae2317e1fdae32014a88ff40a7a4755

    SHA512

    52bc43818912822eb746196aea22b11287a914f156c2838e8c2bc01469758ac18f0575df3d05f7b37042e8c3fd88d5c905d69f359963d5d57c42d0bd7b073c19

    Download Submit
  • \Program Files (x86)\cosstminn\KEI5_sFbPM.dll
    Filesize

    610KB

    MD5

    8c17652e3d7951221e9afeb07a4c71e6

    SHA1

    68aeb97e567f4e705d4126a60bd94ef567760b61

    SHA256

    4085d30c67ed3d336266d7dd5c2a1bfac8e6ba45f9240b31283e43ac9555ea24

    SHA512

    6f21a4058579e7babe1ee44199fc41bf282d6e0c92352c636f39160c7c9e61191f9eb4186dcba8f0a25cf51f97c181e3027f2bbcee9f723a85de159121655065

    Download Submit
  • \Program Files (x86)\cosstminn\KEI5_sFbPM.x64.dll
    Filesize

    687KB

    MD5

    cd1a0489adc1f05fc31a65eb26e08c92

    SHA1

    95af9d7095d36dee3e4d2e2952ca1a199c2bb596

    SHA256

    b63804fa2e99e3bd6b8dac3e203cba731ae2317e1fdae32014a88ff40a7a4755

    SHA512

    52bc43818912822eb746196aea22b11287a914f156c2838e8c2bc01469758ac18f0575df3d05f7b37042e8c3fd88d5c905d69f359963d5d57c42d0bd7b073c19

    Download Submit
  • \Program Files (x86)\cosstminn\KEI5_sFbPM.x64.dll
    Filesize

    687KB

    MD5

    cd1a0489adc1f05fc31a65eb26e08c92

    SHA1

    95af9d7095d36dee3e4d2e2952ca1a199c2bb596

    SHA256

    b63804fa2e99e3bd6b8dac3e203cba731ae2317e1fdae32014a88ff40a7a4755

    SHA512

    52bc43818912822eb746196aea22b11287a914f156c2838e8c2bc01469758ac18f0575df3d05f7b37042e8c3fd88d5c905d69f359963d5d57c42d0bd7b073c19

    Download Submit
  • memory/560-54-0x0000000075531000-0x0000000075533000-memory.dmp
    Filesize

    8KB

    Download
  • memory/560-55-0x0000000002600000-0x00000000026A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/1636-82-0x0000000000000000-mapping.dmp
    Download
  • memory/1736-86-0x0000000000000000-mapping.dmp
    Download
  • memory/1736-87-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp
    Filesize

    8KB

    Download