Overview

overview

8

Static

static

e6094a8906...a3.exe

windows7-x64

8

e6094a8906...a3.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    129s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

  • Size

    4.6MB

  • MD5

    951e6de1be2bef0cadf6a3df95b932b9

  • SHA1

    7e61ee281db676a53d42c9c53040d27a502e2519

  • SHA256

    e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3

  • SHA512

    37335cce656f65cd0b296cb8aad751020b863cc9317453e9d62f889354ebf4d3dd4a974327b6bbc4677da8d44f2ca87abc9e6666187e2481680d70fca8323cee

  • SSDEEP

    49152:NheoGUjQAuwgnz0p+jGnLJLpg5A7LSfQFXj+prN8kGKwR2k9OIa8+8vM5XxO8aOP:cGgop+jktpg5A7NXj+prN5wb9vX+8vM

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
    "C:\Users\Admin\AppData\Local\Temp\e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:5080
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:5048
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:1668
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:376

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.dat
        Filesize

        3KB

        MD5

        7a9ffd62619dc7c76c6423b59a2b2447

        SHA1

        a43c47ef4f2c8b58fec3e18fccc231390d13ded5

        SHA256

        8281c5ce66d9223645c2555f5d58ed9c25b18b5f99f091cde28209caaf5cc5e3

        SHA512

        628de41dc37d46b3855950e6aa3c14e045e38c732f047ddc191e14007e1042e37fcb9d1183d7dd2204e10183d51122be8a534f67ffc739b4d0fff533e3bf1e91

        Download Submit

      • C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.dll
        Filesize

        741KB

        MD5

        02955857b45fa9ddd4229b9d67f65d93

        SHA1

        a5fe5c71d62bd9648ab25660d7cae6eff98af3ed

        SHA256

        839e59c1dd9fa6ce4ed8b4b964b32a3afdd5b6b621580c47cdad754868abe753

        SHA512

        0b0c6a7754abead8aec777a1ee4330f4c5ee90aebde30266e6ad93f356f91abbe4a2bc3fdc924556edb82c3b4bd0f97191e72d6039bed14975d5e5b940af3261

        Download Submit

      • C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.tlb
        Filesize

        3KB

        MD5

        75846c93e1f5b9d77fcc4520a65b4936

        SHA1

        f4631b5f768bfa33063a96c7a0da478c1fb28791

        SHA256

        c6843974e37a7eb67c2e6550cec7ffd63645d80f4bd9613430e5824b4604b08b

        SHA512

        a51876207191e351f955e614be727f9b0141cce69d46f7bbf141a632306fe277de3372848c5b707da525d22bafca044b0a73c544a2a670d4056d33f37f7b328c

        Download Submit

      • C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.x64.dll
        Filesize

        879KB

        MD5

        f60a9be9218f7d3c329205bd4f585ee7

        SHA1

        8b31e1d5b92ff6642cc5fb707ec76596ce84002c

        SHA256

        7b08c02a0b7315c5b860b594d6486f85a8c182a1851313e1a6299810b896d394

        SHA512

        a6a18d63220f92f80881aaf5f7ed936d7e317a50fe2fc0452f5b3c6793b5b6ffac782366c65d91d7cad1b5a68149f5fa9cd82cf57ba0208ea271c792bddee6a7

        Download Submit

      • C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.x64.dll
        Filesize

        879KB

        MD5

        f60a9be9218f7d3c329205bd4f585ee7

        SHA1

        8b31e1d5b92ff6642cc5fb707ec76596ce84002c

        SHA256

        7b08c02a0b7315c5b860b594d6486f85a8c182a1851313e1a6299810b896d394

        SHA512

        a6a18d63220f92f80881aaf5f7ed936d7e317a50fe2fc0452f5b3c6793b5b6ffac782366c65d91d7cad1b5a68149f5fa9cd82cf57ba0208ea271c792bddee6a7

        Download Submit

      • C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.x64.dll
        Filesize

        879KB

        MD5

        f60a9be9218f7d3c329205bd4f585ee7

        SHA1

        8b31e1d5b92ff6642cc5fb707ec76596ce84002c

        SHA256

        7b08c02a0b7315c5b860b594d6486f85a8c182a1851313e1a6299810b896d394

        SHA512

        a6a18d63220f92f80881aaf5f7ed936d7e317a50fe2fc0452f5b3c6793b5b6ffac782366c65d91d7cad1b5a68149f5fa9cd82cf57ba0208ea271c792bddee6a7

        Download Submit

      • memory/4948-138-0x0000000000000000-mapping.dmp

        Download

      • memory/5048-141-0x0000000000000000-mapping.dmp

        Download

      • memory/5080-132-0x0000000002F70000-0x000000000303C000-memory.dmp

        Filesize

        816KB

        Download