Overview

overview

8

Static

static

866b83a2d4...19.exe

windows7-x64

8

866b83a2d4...19.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    866b83a2d4dc367718836d3f657503b381fa99a755aa533e3d95c79ac6643919.exe

  • Size

    3.0MB

  • MD5

    e1fa83f71697f2d2bc0179260e52a47f

  • SHA1

    177e8a80de6b6e6f666956624f2663c6c45e0e2c

  • SHA256

    866b83a2d4dc367718836d3f657503b381fa99a755aa533e3d95c79ac6643919

  • SHA512

    8d4a18f8fdb70937b88b9bb13521650fd0ec4f8a7ba7e605f5e6338510321ee00f6cc3a2a5c09363d9670521d535867f925249bbbbefb7df779fcf20327e2b92

  • SSDEEP

    49152:9a+rpFCFSaMUnkl+Px8Av5jt+L83m6veJ2ujTEhAWSHZfynkmt:9aCpFCnkl+pr5jt+La28unEi1Ok

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\866b83a2d4dc367718836d3f657503b381fa99a755aa533e3d95c79ac6643919.exe
    "C:\Users\Admin\AppData\Local\Temp\866b83a2d4dc367718836d3f657503b381fa99a755aa533e3d95c79ac6643919.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:980
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\cosstminn\YWO.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\cosstminn\YWO.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1240

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\cosstminn\YWO.dat
    Filesize

    4KB

    MD5

    400099cea6802324f899a2c1182e4b5b

    SHA1

    b267f53c535a6c02341d425a0e8813aebd10b201

    SHA256

    cd204f58b118f980aaadc4f68608dd1b288ea20ecddfc0784bf31b5b0c360201

    SHA512

    a3f5b39956dfe4ab6bd74aca8d02a089ace5185500e2b6d6e77e935ac1f1a824c58ec8e35e074f99cf23704df632ee208558ad08981c97c64e0337845470bb13

    Download Submit

  • C:\Program Files (x86)\cosstminn\YWO.tlb
    Filesize

    3KB

    MD5

    3fdfaa71c68f31e83daf46b214ff8c89

    SHA1

    fe4a9d2172e9a94570f46fc151b94f90db08da77

    SHA256

    2d4e42ee22cf2171777f6f2aa232df7a2ad3445b6988ee2f2666ec2a863aca93

    SHA512

    392faf168a97d35fc4fa414844cae3662d231f18d5db55891e6cf281f34cef590cb94f6a650565b5b2bdf2c0899dc872c432106449604079f3283da241f2a100

    Download Submit

  • C:\Program Files (x86)\cosstminn\YWO.x64.dll
    Filesize

    687KB

    MD5

    cd1a0489adc1f05fc31a65eb26e08c92

    SHA1

    95af9d7095d36dee3e4d2e2952ca1a199c2bb596

    SHA256

    b63804fa2e99e3bd6b8dac3e203cba731ae2317e1fdae32014a88ff40a7a4755

    SHA512

    52bc43818912822eb746196aea22b11287a914f156c2838e8c2bc01469758ac18f0575df3d05f7b37042e8c3fd88d5c905d69f359963d5d57c42d0bd7b073c19

    Download Submit

  • \Program Files (x86)\cosstminn\YWO.dll
    Filesize

    610KB

    MD5

    8c17652e3d7951221e9afeb07a4c71e6

    SHA1

    68aeb97e567f4e705d4126a60bd94ef567760b61

    SHA256

    4085d30c67ed3d336266d7dd5c2a1bfac8e6ba45f9240b31283e43ac9555ea24

    SHA512

    6f21a4058579e7babe1ee44199fc41bf282d6e0c92352c636f39160c7c9e61191f9eb4186dcba8f0a25cf51f97c181e3027f2bbcee9f723a85de159121655065

    Download Submit

  • \Program Files (x86)\cosstminn\YWO.x64.dll
    Filesize

    687KB

    MD5

    cd1a0489adc1f05fc31a65eb26e08c92

    SHA1

    95af9d7095d36dee3e4d2e2952ca1a199c2bb596

    SHA256

    b63804fa2e99e3bd6b8dac3e203cba731ae2317e1fdae32014a88ff40a7a4755

    SHA512

    52bc43818912822eb746196aea22b11287a914f156c2838e8c2bc01469758ac18f0575df3d05f7b37042e8c3fd88d5c905d69f359963d5d57c42d0bd7b073c19

    Download Submit

  • \Program Files (x86)\cosstminn\YWO.x64.dll
    Filesize

    687KB

    MD5

    cd1a0489adc1f05fc31a65eb26e08c92

    SHA1

    95af9d7095d36dee3e4d2e2952ca1a199c2bb596

    SHA256

    b63804fa2e99e3bd6b8dac3e203cba731ae2317e1fdae32014a88ff40a7a4755

    SHA512

    52bc43818912822eb746196aea22b11287a914f156c2838e8c2bc01469758ac18f0575df3d05f7b37042e8c3fd88d5c905d69f359963d5d57c42d0bd7b073c19

    Download Submit

  • memory/980-70-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-73-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-66-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-67-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-68-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-69-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-54-0x0000000075811000-0x0000000075813000-memory.dmp

    Filesize

    8KB

    Download

  • memory/980-71-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-72-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-65-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-74-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-64-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-55-0x0000000002670000-0x0000000002710000-memory.dmp

    Filesize

    640KB

    Download

  • memory/980-60-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-61-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-62-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/980-63-0x0000000000802000-0x0000000000806000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1240-81-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1240-80-0x0000000000000000-mapping.dmp

    Download

  • memory/1940-76-0x0000000000000000-mapping.dmp

    Download