Overview

overview

8

Static

static

44fcb7c35a...3f.exe

windows7-x64

8

44fcb7c35a...3f.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    205s
  • max time network
    209s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

  • Size

    2.9MB

  • MD5

    619f94a96f83368d205f44d34fb24061

  • SHA1

    2b996a2cf1e57cbd377b301cb1bbbde876b0ba7e

  • SHA256

    44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f

  • SHA512

    e2a626e74da57433fe4f531a23fb9909404ab639dbef650cb501fbb0bcf2959f41bf0ca67de2bc5ae0ad57712358f1b70309b2ccfce62f81de6ca440851dad68

  • SSDEEP

    49152:wNlIwOj323Z/CYbkOoZyNuWL5mq+9Ou4SzROsp6XmICGFbsbg1VL9enR:WWoFCYbMCLYcPxYmRQg1U

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
    "C:\Users\Admin\AppData\Local\Temp\44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4668
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\cosstminn\LVl_.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3948
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\cosstminn\LVl_.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:4148
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:4424
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:4464

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\cosstminn\LVl_.dat
        Filesize

        4KB

        MD5

        613911524406c85d6254e9c3246ad5a9

        SHA1

        b0d5f8deaf1d3dd3876f013b62acd5fc1e61d922

        SHA256

        4862b819d2d1904015d6bc73989c799c73c31ad19e162fbfe76cfe48b9b914c1

        SHA512

        7e3785bd8cfe238db746b68316b0aaff7ae7a2d60287a7b31141d8a8a54f2003bdc0943d53002e3eaf65c0246ba9c451b8992b1fe177c0b1e8bf17afdc4585c3

        Download Submit

      • C:\Program Files (x86)\cosstminn\LVl_.dll
        Filesize

        605KB

        MD5

        72ae14ac560cd862a9dc671547286d1b

        SHA1

        929cc12b75cbcbbb18ca5d1a8d463fd0bf607d19

        SHA256

        0e3cd6bddd4109628f9193cbd68da68a06d92bdc6afd2544b6d2cf7a25813f9a

        SHA512

        ebc2da889fb26a2137783e1fadbd7d6f9eed47449df6583efd9df66f89c6c05fd34d01c8da15cbf64d493f07bcbcc0d84800e7bbe34fb7d7e018c1a5de265c26

        Download Submit

      • C:\Program Files (x86)\cosstminn\LVl_.tlb
        Filesize

        3KB

        MD5

        531346571ee2e23320503dd0cf8dde04

        SHA1

        ed110980a7d9e2b1fe6e870291cfbcaf1d2c1219

        SHA256

        5a60546a281eb5a6961b925a60995cb8f888cc1a66e327e6263c21ea3d3b0e7c

        SHA512

        7e04a177e6375f382a88d01a43763e0f4be945426b6635b262597408a320b0e2f0aabea394a923be60c79a009c1737104b69cb5e47bc884215966a8cd679d691

        Download Submit

      • C:\Program Files (x86)\cosstminn\LVl_.x64.dll
        Filesize

        687KB

        MD5

        81d4889568a6f6e358ca9a3d307765e1

        SHA1

        60990e17843d1de4b2ed29acd97e988c33b5e55e

        SHA256

        b1b3213c365c3bb4047a30446181aab8cd835eda9a4ebfb02d29f8629d205bfc

        SHA512

        689289e254060a9f5e6e3c2ad69871c28cb9bd7cf5af16257a95a65205ae2c52c928737dac348084a8870f69de9f530c60f2895d4cfccc2275d0f8f25420f138

        Download Submit

      • C:\Program Files (x86)\cosstminn\LVl_.x64.dll
        Filesize

        687KB

        MD5

        81d4889568a6f6e358ca9a3d307765e1

        SHA1

        60990e17843d1de4b2ed29acd97e988c33b5e55e

        SHA256

        b1b3213c365c3bb4047a30446181aab8cd835eda9a4ebfb02d29f8629d205bfc

        SHA512

        689289e254060a9f5e6e3c2ad69871c28cb9bd7cf5af16257a95a65205ae2c52c928737dac348084a8870f69de9f530c60f2895d4cfccc2275d0f8f25420f138

        Download Submit

      • C:\Program Files (x86)\cosstminn\LVl_.x64.dll
        Filesize

        687KB

        MD5

        81d4889568a6f6e358ca9a3d307765e1

        SHA1

        60990e17843d1de4b2ed29acd97e988c33b5e55e

        SHA256

        b1b3213c365c3bb4047a30446181aab8cd835eda9a4ebfb02d29f8629d205bfc

        SHA512

        689289e254060a9f5e6e3c2ad69871c28cb9bd7cf5af16257a95a65205ae2c52c928737dac348084a8870f69de9f530c60f2895d4cfccc2275d0f8f25420f138

        Download Submit

      • memory/3948-138-0x0000000000000000-mapping.dmp

        Download

      • memory/4148-141-0x0000000000000000-mapping.dmp

        Download

      • memory/4668-132-0x0000000002BA0000-0x0000000002C42000-memory.dmp

        Filesize

        648KB

        Download