Overview

overview

8

Static

static

6e94bd7a2c...1a.exe

windows7-x64

8

6e94bd7a2c...1a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    165s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e94bd7a2cb111e71e379fb8af6a5ff6706f1d797fbd40ad311f9bd47897681a.exe

  • Size

    3.1MB

  • MD5

    5a437c5354580759ec98193b37ee9717

  • SHA1

    37b9344ac53d66acdc47c4ec81d5d90ef8fd6473

  • SHA256

    6e94bd7a2cb111e71e379fb8af6a5ff6706f1d797fbd40ad311f9bd47897681a

  • SHA512

    2938ad45ecd8b53a414d993a5d3774855bb47c655747d207ae63a71eb06410149399a4e500b8b8f514850c49a12fffe4b04d5aa82a0d5383e3506c4388563bac

  • SSDEEP

    98304:qWubjvL8Qe073bgIIAhrTn7mvkkPAfvVq:q5ZeWIAh30kkMvVq

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e94bd7a2cb111e71e379fb8af6a5ff6706f1d797fbd40ad311f9bd47897681a.exe
    "C:\Users\Admin\AppData\Local\Temp\6e94bd7a2cb111e71e379fb8af6a5ff6706f1d797fbd40ad311f9bd47897681a.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4952
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\cosstminn\zLx06ry.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\cosstminn\zLx06ry.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:2032
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:4940
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:4860

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Browser Extensions

      1
      T1176

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\cosstminn\zLx06ry.dat
        Filesize

        4KB

        MD5

        bd17def5ad8f3d19176401d6e85dd130

        SHA1

        952b15f1f6b07a3397c0210d872ac4dedd39a47b

        SHA256

        201b72f7d046ee9fa8618beccc386b871c31b0b73f2f2383b9999712a1217285

        SHA512

        7bf6ea6c10b776c2ba9e7da54df5ebbaf3c097ec8148d832d32f91092329e39a15964648cf4335a22953244e9e01a29972ee7991c7160fa2a26f52de36b3dddf

        Download Submit
      • C:\Program Files (x86)\cosstminn\zLx06ry.dll
        Filesize

        610KB

        MD5

        e6b1dcd76c32ee9d165867e9e264070c

        SHA1

        e27d03c15751ee9a57f4177fca5de359b8d36d4e

        SHA256

        7745c83eaf3ea86601740479c8be95ffc0ea4b8d4975829cd415034e398ff60a

        SHA512

        43f8621d6ea3030c2cfdf329b911526c7a25abec2442309c3bfe40dd5726d1fe371a4f621016529fb1bfa73578bb5eb5babcac70939bc274073614919b9970e5

        Download Submit
      • C:\Program Files (x86)\cosstminn\zLx06ry.tlb
        Filesize

        3KB

        MD5

        4aaac5bdfd389acc2fef6f90b968d8eb

        SHA1

        0648a3524009d361480cb497d1b842d462a354c7

        SHA256

        dd7cbb20981929ef6ae7ba1b6e50a8dd73309a2715caddae3d1b426d9318817e

        SHA512

        c82a8d46e57b498774b70d91d0212f34278b440fda4308c6e27e8763341630bee0553a8db66445a63126fd9feb1de036fe1f11e92eb429d39c009c20cb35da3a

        Download Submit
      • C:\Program Files (x86)\cosstminn\zLx06ry.x64.dll
        Filesize

        687KB

        MD5

        d1bfb50a3b3b04c79d5954ddaa7b63c0

        SHA1

        8aa33e704752d0e6508d0f45894b2a8f8476e555

        SHA256

        d7d1337b335e9479ff48cfdb8610d557139353767cdc38d4e3aa4a79880593ef

        SHA512

        ecfe78d99ec67e08af56d186ab1bd4bdf6d7d4f3c88a689d81ac532f2b5731198dfce3285c966954b3d7e0fb2afef05b5d66e960ab2e7da67cfc444c204839af

        Download Submit
      • C:\Program Files (x86)\cosstminn\zLx06ry.x64.dll
        Filesize

        687KB

        MD5

        d1bfb50a3b3b04c79d5954ddaa7b63c0

        SHA1

        8aa33e704752d0e6508d0f45894b2a8f8476e555

        SHA256

        d7d1337b335e9479ff48cfdb8610d557139353767cdc38d4e3aa4a79880593ef

        SHA512

        ecfe78d99ec67e08af56d186ab1bd4bdf6d7d4f3c88a689d81ac532f2b5731198dfce3285c966954b3d7e0fb2afef05b5d66e960ab2e7da67cfc444c204839af

        Download Submit
      • C:\Program Files (x86)\cosstminn\zLx06ry.x64.dll
        Filesize

        687KB

        MD5

        d1bfb50a3b3b04c79d5954ddaa7b63c0

        SHA1

        8aa33e704752d0e6508d0f45894b2a8f8476e555

        SHA256

        d7d1337b335e9479ff48cfdb8610d557139353767cdc38d4e3aa4a79880593ef

        SHA512

        ecfe78d99ec67e08af56d186ab1bd4bdf6d7d4f3c88a689d81ac532f2b5731198dfce3285c966954b3d7e0fb2afef05b5d66e960ab2e7da67cfc444c204839af

        Download Submit
      • memory/532-138-0x0000000000000000-mapping.dmp
        Download
      • memory/2032-141-0x0000000000000000-mapping.dmp
        Download
      • memory/4952-132-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download