Overview

overview

9

Static

static

5b25ef51a2...16.exe

windows7-x64

9

5b25ef51a2...16.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b25ef51a2a70e11d3e37c95099b522e61fd64f8a382ff2516a69a8584b74b16.exe

  • Size

    819KB

  • MD5

    3fabe8f4e16f5e8b3df2992d4ba71c47

  • SHA1

    c156a8928ddff7c1009cfcb6c87bca6a788d8d0a

  • SHA256

    5b25ef51a2a70e11d3e37c95099b522e61fd64f8a382ff2516a69a8584b74b16

  • SHA512

    a033a8e1b74daf7adfbe797373e1c1a9ff9a761538377de855655fc8e4350e3646e25cf870b9a4f5c16d45d5e43f7742c80ec46b8a175c84959944564cb3fa2a

  • SSDEEP

    24576:v2O/GliJMDVMZpqa/brHkNbuvrl+YXOUs:ZUpEbzkN4xdOp

Score
9/10
aspackv2persistencespywarestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 8 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1340
      • C:\Users\Admin\AppData\Local\Temp\5b25ef51a2a70e11d3e37c95099b522e61fd64f8a382ff2516a69a8584b74b16.exe
        "C:\Users\Admin\AppData\Local\Temp\5b25ef51a2a70e11d3e37c95099b522e61fd64f8a382ff2516a69a8584b74b16.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:604
        • C:\windows\WEB\CDClient.exe
          "C:\windows\WEB\CDClient.exe"
          3⤵
          • Executes dropped EXE
          • Sets service image path in registry
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: LoadsDriver
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:956
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Windows\SysWOW64\091301.bat
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:520
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
              5⤵
                PID:1628
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
                5⤵
                  PID:1768
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c C:\Windows\SysWOW64\091308.bat
                4⤵
                  PID:988
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
                    5⤵
                      PID:1972
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
                      5⤵
                        PID:1780
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      http://www.so.com
                      4⤵
                        PID:1996
                        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.so.com
                          5⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SetWindowsHookEx
                          PID:960
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:2
                            6⤵
                            • Modifies Internet Explorer settings
                            • Suspicious use of SetWindowsHookEx
                            PID:928

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                  Filesize

                  61KB

                  MD5

                  3dcf580a93972319e82cafbc047d34d5

                  SHA1

                  8528d2a1363e5de77dc3b1142850e51ead0f4b6b

                  SHA256

                  40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

                  SHA512

                  98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

                  Download Submit
                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                  Filesize

                  342B

                  MD5

                  42407474c1f77126fb8f38bd7cd7bdd9

                  SHA1

                  79a3c1519c1b09340798c737655baf3e2394b025

                  SHA256

                  b1b849ad0745052aa0578cd2733acf3177c6b962ee95bf7cdf49e95ffa40fd8a

                  SHA512

                  28c84ab58acfabf87ed723cbda211619265bba66e31ba621b02f9b1ce4e0f4cdb965e541fb539e5a4653c99125a50d571126f0507880551a7cee3e73ba831144

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat
                  Filesize

                  5KB

                  MD5

                  3219d2e33d48d371917755c9488a8092

                  SHA1

                  21389b772b59adc9e935bc783d0b8c9ceadb3049

                  SHA256

                  514394861d5029a6f788337a5ad2d87f16043898fa56c145a4d38f65b7d6bee9

                  SHA512

                  87bba0be61bb8b5c4c492e4ad618df284f4304125acbba2a563c1bedf55292e988498b46b92b39379f38900c9b2530a9f9354e33bc0a01fdc675e8d044382b41

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Z101RX2F.txt
                  Filesize

                  608B

                  MD5

                  e67f6720a7b6c3951a27f2eae1d99ff8

                  SHA1

                  5e21ed1a7ba5f300cb49b560a1e1f2d7b2ed81b3

                  SHA256

                  2f064d1e8c38e95f6fa665b26e6e17950a1f757ae6abe036df2741fed8f39892

                  SHA512

                  05b29253188b46fb3905617c294c33c364f5f157d4ceb4590ec5bfc2e62718d3668082927fd8fb0a8cef1899601ac64d427933d512838e4f757a5fd7e22a93f4

                  Download Submit
                • C:\Windows\SysWOW64\091301.bat
                  Filesize

                  5KB

                  MD5

                  ad0d80bf6b4292dbada25f7f8fd6556c

                  SHA1

                  40133d1dea9905bf406fb88efcb57cd693e6cf43

                  SHA256

                  081f45a04b555b2406e5b63afbcdba4e564c3157e7d3720d21e8f53d2127bae1

                  SHA512

                  76eaacabecaaed7b4eb53fbc5db4d53b15ccdbe6526119346dc444e932cc1ebfffb74b0df3f54c85168d72082f9017802e9775bc178a58fcac0ab3c1ddb519cb

                  Download Submit
                • C:\Windows\SysWOW64\091308.bat
                  Filesize

                  5KB

                  MD5

                  ad0d80bf6b4292dbada25f7f8fd6556c

                  SHA1

                  40133d1dea9905bf406fb88efcb57cd693e6cf43

                  SHA256

                  081f45a04b555b2406e5b63afbcdba4e564c3157e7d3720d21e8f53d2127bae1

                  SHA512

                  76eaacabecaaed7b4eb53fbc5db4d53b15ccdbe6526119346dc444e932cc1ebfffb74b0df3f54c85168d72082f9017802e9775bc178a58fcac0ab3c1ddb519cb

                  Download Submit
                • C:\Windows\Web\CDClient.exe
                  Filesize

                  727KB

                  MD5

                  bae36106febed2468b3d14685936ff56

                  SHA1

                  3bbb2aa6e3fa878bd3aee18a8012073b25687b13

                  SHA256

                  68733661aa094199142075c2dc58bff437fc689c87123382ccad8fdce21f55db

                  SHA512

                  a9dc33ea5ef4e5b2a86b16f50ef97d83deb6f4461dd17c666106589126cf00ae4f877d8c2ec3ed5dd5c41c5301567ae790b6ef9b71ffeb7c2ab35fda15d61c36

                  Download Submit
                • C:\Windows\Web\CDClient.exe
                  Filesize

                  727KB

                  MD5

                  bae36106febed2468b3d14685936ff56

                  SHA1

                  3bbb2aa6e3fa878bd3aee18a8012073b25687b13

                  SHA256

                  68733661aa094199142075c2dc58bff437fc689c87123382ccad8fdce21f55db

                  SHA512

                  a9dc33ea5ef4e5b2a86b16f50ef97d83deb6f4461dd17c666106589126cf00ae4f877d8c2ec3ed5dd5c41c5301567ae790b6ef9b71ffeb7c2ab35fda15d61c36

                  Download Submit
                • \Users\Admin\AppData\Local\Temp\E22450\AGCIsJw.dll
                  Filesize

                  595KB

                  MD5

                  2f152f59468ec96a89d87c072b9cd521

                  SHA1

                  9e0bc1d43d8d5c5a97e5e72e473c682802cb092a

                  SHA256

                  085c4dd097865609fadc4aa87cd7dff89d6aca6b1bbff722abcebcde7828a453

                  SHA512

                  009973dd7ecc3d24b78b5b4536e9aeb95dee9a34a8f35006423c86cbe6b619d050b1a50a6fa2b28a160842a9738ae7e2934eb6dc30e126530d55afd2b6d1fa8a

                  Download Submit
                • \Users\Admin\AppData\Local\Temp\E22450\mrtGvEH.dll
                  Filesize

                  546KB

                  MD5

                  f60d60bf6a5bc518f0630857d8d602da

                  SHA1

                  810a18bacb7a2a15f056c7305f1ea4ce8a802c3b

                  SHA256

                  209b797fb8786e6b60261d3ff2bbfcb8b1cdd9698fe4707ea28f0b475bdec0a8

                  SHA512

                  9ce67959d703131837e3fe29de4dd945aa6062226a277200974c3567fbc0145b24584c13b68757fe77ce33872c5b5b42f5afc193fe4c0dc3f7e764b1218f155f

                  Download Submit
                • \Windows\SysWOW64\JFyGwy.dll
                  Filesize

                  63KB

                  MD5

                  fd8d4e1d20d085593e26e4fb879aac1f

                  SHA1

                  dd233f681bd4807851963736fe4554e152d06793

                  SHA256

                  39c865da0e189d296eae8838d9240aefadfd63507b070fa0e6803910a51202f3

                  SHA512

                  dee6185217cf4b9bfc1fb526ec365de67294f8ddeea95eaa5f72628731b52136cc2fa703a84cf35a22a32b870bbeb1f068192336474880c03c879380e7eac317

                  Download Submit
                • \Windows\Web\CDClient.exe
                  Filesize

                  727KB

                  MD5

                  bae36106febed2468b3d14685936ff56

                  SHA1

                  3bbb2aa6e3fa878bd3aee18a8012073b25687b13

                  SHA256

                  68733661aa094199142075c2dc58bff437fc689c87123382ccad8fdce21f55db

                  SHA512

                  a9dc33ea5ef4e5b2a86b16f50ef97d83deb6f4461dd17c666106589126cf00ae4f877d8c2ec3ed5dd5c41c5301567ae790b6ef9b71ffeb7c2ab35fda15d61c36

                  Download Submit
                • \Windows\Web\CDClient.exe
                  Filesize

                  727KB

                  MD5

                  bae36106febed2468b3d14685936ff56

                  SHA1

                  3bbb2aa6e3fa878bd3aee18a8012073b25687b13

                  SHA256

                  68733661aa094199142075c2dc58bff437fc689c87123382ccad8fdce21f55db

                  SHA512

                  a9dc33ea5ef4e5b2a86b16f50ef97d83deb6f4461dd17c666106589126cf00ae4f877d8c2ec3ed5dd5c41c5301567ae790b6ef9b71ffeb7c2ab35fda15d61c36

                  Download Submit
                • \Windows\Web\CDClient.exe
                  Filesize

                  727KB

                  MD5

                  bae36106febed2468b3d14685936ff56

                  SHA1

                  3bbb2aa6e3fa878bd3aee18a8012073b25687b13

                  SHA256

                  68733661aa094199142075c2dc58bff437fc689c87123382ccad8fdce21f55db

                  SHA512

                  a9dc33ea5ef4e5b2a86b16f50ef97d83deb6f4461dd17c666106589126cf00ae4f877d8c2ec3ed5dd5c41c5301567ae790b6ef9b71ffeb7c2ab35fda15d61c36

                  Download Submit
                • \Windows\Web\CDClient.exe
                  Filesize

                  727KB

                  MD5

                  bae36106febed2468b3d14685936ff56

                  SHA1

                  3bbb2aa6e3fa878bd3aee18a8012073b25687b13

                  SHA256

                  68733661aa094199142075c2dc58bff437fc689c87123382ccad8fdce21f55db

                  SHA512

                  a9dc33ea5ef4e5b2a86b16f50ef97d83deb6f4461dd17c666106589126cf00ae4f877d8c2ec3ed5dd5c41c5301567ae790b6ef9b71ffeb7c2ab35fda15d61c36

                  Download Submit
                • memory/520-64-0x0000000000000000-mapping.dmp
                  Download
                • memory/604-54-0x0000000075F81000-0x0000000075F83000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/956-80-0x0000000074A50000-0x0000000074A73000-memory.dmp
                  Filesize

                  140KB

                  Download
                • memory/956-59-0x0000000000000000-mapping.dmp
                  Download
                • memory/988-72-0x0000000000000000-mapping.dmp
                  Download
                • memory/1628-67-0x0000000000000000-mapping.dmp
                  Download
                • memory/1768-69-0x0000000000000000-mapping.dmp
                  Download
                • memory/1780-77-0x0000000000000000-mapping.dmp
                  Download
                • memory/1972-75-0x0000000000000000-mapping.dmp
                  Download