Overview

overview

8

Static

static

25276ff09c...d4.exe

windows7-x64

8

25276ff09c...d4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 14:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25276ff09c53aa540db4aacf5c1ba026cbb01d98145c984c11739678899d6cd4.exe

  • Size

    3.1MB

  • MD5

    b04eeca467e087f2b6e790470760ef41

  • SHA1

    d350cb86656c2c199bf4c1f7dd87d76a313269b4

  • SHA256

    25276ff09c53aa540db4aacf5c1ba026cbb01d98145c984c11739678899d6cd4

  • SHA512

    54fd90d1420ade3a682257c49f04973358c3629660a7e39957d262ed4a63aac4d6008863fae65191b3fd83457c701937cc0eabef1f560f558c642f0c5dca00fd

  • SSDEEP

    49152:VXCLQbeGze7bSi8x9BKCWLMT/95j0YZ0ZMGSqN+ICvNqE/lL8kG1:VSU1i3u/jnZ0ZvSqFE/+

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\25276ff09c53aa540db4aacf5c1ba026cbb01d98145c984c11739678899d6cd4.exe
    "C:\Users\Admin\AppData\Local\Temp\25276ff09c53aa540db4aacf5c1ba026cbb01d98145c984c11739678899d6cd4.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2032
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\cosstminn\ELPa.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3296
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\cosstminn\ELPa.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1452
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:3480
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:3712

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\cosstminn\ELPa.dat
        Filesize

        4KB

        MD5

        acdc5f88466d189ce31427d38a5cf8e9

        SHA1

        6192b6799ec4b45cbcdf1e88b45cbf214f7586dd

        SHA256

        cf95ecf4c6387664c9eccaabd2ec56ab12266b6cde5f861912955c973e0f5c32

        SHA512

        45354401da8a1be71a3291fdfb41c5800c9fe914e94731298820cdbded90e06841bb7d86a6d677c246c379bb3f47bad21a17400ef1af9d5e126de4746d8fede3

        Download Submit

      • C:\Program Files (x86)\cosstminn\ELPa.dll
        Filesize

        610KB

        MD5

        1a2a5aeb486a553926674b61c65a8998

        SHA1

        3f87a150d0d04c66745cd2c5c7a0eb24fc6f0f21

        SHA256

        7774df2ea482856d1f074ccd5f3513132b5f03826964b0a592d74d22c8a409b7

        SHA512

        7ba6797697c0af305a6e51b2affd9819c3f3e8010c4f28f805545322a1ebe1bd1c5c70ec2b0db54c31939568a65ae2143bca5f826135a1445cfe49a5d7fd1215

        Download Submit

      • C:\Program Files (x86)\cosstminn\ELPa.tlb
        Filesize

        3KB

        MD5

        0c1303480311c937a5898e1221caeb4c

        SHA1

        3d8e8499847546fb4beb3104d34dba1c4962a71f

        SHA256

        de9c7a0783ac0e39aa26c52aa559d414aac174dcafd6cbaf0afe7ebf3135130f

        SHA512

        554a77347647cd33234f17b0d7bce3cedd7bff347fc2b8d309e7305e8a2f88640ea2a2094a928f5f47c89b3b17f090405eb81428d43b3125d11c9c0c9fe94c47

        Download Submit

      • C:\Program Files (x86)\cosstminn\ELPa.x64.dll
        Filesize

        689KB

        MD5

        b914fc09324c95bc5c071eb82b500ab7

        SHA1

        4379fc0030d6eec9c99bd7b5c5220ea3d67d3cbe

        SHA256

        8d63f8e86afc66984039a4f3f33a70704b8ca1fe8dd2cc0c8b0f3971bf43d223

        SHA512

        2f43471dc8c378970e60903e78e6953d3f3ebec736b8a6f8f563bc32cbdd5e2a4de4cb1bcb021679301160deb3d7296ab4a06298b2a9e74c5b1bfbeb14889b24

        Download Submit

      • C:\Program Files (x86)\cosstminn\ELPa.x64.dll
        Filesize

        689KB

        MD5

        b914fc09324c95bc5c071eb82b500ab7

        SHA1

        4379fc0030d6eec9c99bd7b5c5220ea3d67d3cbe

        SHA256

        8d63f8e86afc66984039a4f3f33a70704b8ca1fe8dd2cc0c8b0f3971bf43d223

        SHA512

        2f43471dc8c378970e60903e78e6953d3f3ebec736b8a6f8f563bc32cbdd5e2a4de4cb1bcb021679301160deb3d7296ab4a06298b2a9e74c5b1bfbeb14889b24

        Download Submit

      • C:\Program Files (x86)\cosstminn\ELPa.x64.dll
        Filesize

        689KB

        MD5

        b914fc09324c95bc5c071eb82b500ab7

        SHA1

        4379fc0030d6eec9c99bd7b5c5220ea3d67d3cbe

        SHA256

        8d63f8e86afc66984039a4f3f33a70704b8ca1fe8dd2cc0c8b0f3971bf43d223

        SHA512

        2f43471dc8c378970e60903e78e6953d3f3ebec736b8a6f8f563bc32cbdd5e2a4de4cb1bcb021679301160deb3d7296ab4a06298b2a9e74c5b1bfbeb14889b24

        Download Submit

      • memory/1452-152-0x0000000000000000-mapping.dmp

        Download

      • memory/2032-141-0x00000000011E0000-0x00000000011E3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2032-144-0x00000000011E0000-0x00000000011E3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2032-145-0x00000000011E0000-0x00000000011E3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2032-146-0x00000000011E0000-0x00000000011E3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2032-147-0x00000000011E0000-0x00000000011E3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2032-143-0x00000000011E0000-0x00000000011E3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2032-142-0x00000000011E0000-0x00000000011E3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2032-132-0x0000000000400000-0x00000000004A3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2032-140-0x00000000011E0000-0x00000000011E3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2032-139-0x00000000011E0000-0x00000000011E3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2032-138-0x00000000011E0000-0x00000000011E3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2032-137-0x00000000011E0000-0x00000000011E3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3296-149-0x0000000000000000-mapping.dmp

        Download