Overview

overview

9

Static

static

5b25ef51a2...16.exe

windows7-x64

9

5b25ef51a2...16.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    170s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b25ef51a2a70e11d3e37c95099b522e61fd64f8a382ff2516a69a8584b74b16.exe

  • Size

    819KB

  • MD5

    3fabe8f4e16f5e8b3df2992d4ba71c47

  • SHA1

    c156a8928ddff7c1009cfcb6c87bca6a788d8d0a

  • SHA256

    5b25ef51a2a70e11d3e37c95099b522e61fd64f8a382ff2516a69a8584b74b16

  • SHA512

    a033a8e1b74daf7adfbe797373e1c1a9ff9a761538377de855655fc8e4350e3646e25cf870b9a4f5c16d45d5e43f7742c80ec46b8a175c84959944564cb3fa2a

  • SSDEEP

    24576:v2O/GliJMDVMZpqa/brHkNbuvrl+YXOUs:ZUpEbzkN4xdOp

Score
9/10
aspackv2persistencespywarestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:532
      • C:\Users\Admin\AppData\Local\Temp\5b25ef51a2a70e11d3e37c95099b522e61fd64f8a382ff2516a69a8584b74b16.exe
        "C:\Users\Admin\AppData\Local\Temp\5b25ef51a2a70e11d3e37c95099b522e61fd64f8a382ff2516a69a8584b74b16.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\windows\WEB\CDClient.exe
          "C:\windows\WEB\CDClient.exe"
          3⤵
          • Executes dropped EXE
          • Sets service image path in registry
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: LoadsDriver
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3280
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\091339.bat
            4⤵
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4464
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
              5⤵
              • Suspicious use of SetWindowsHookEx
              PID:4976
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
              5⤵
              • Suspicious use of SetWindowsHookEx
              PID:5024
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\175511.bat
            4⤵
            • Suspicious use of SetWindowsHookEx
            PID:1116
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
              5⤵
              • Suspicious use of SetWindowsHookEx
              PID:3676
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
              5⤵
              • Suspicious use of SetWindowsHookEx
              PID:3704
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            http://www.so.com
            4⤵
            • Suspicious use of SetWindowsHookEx
            PID:3984
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.so.com
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              PID:3432
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3432 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4616

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\B98561\lqqHsAA.dll
      Filesize

      595KB

      MD5

      2f152f59468ec96a89d87c072b9cd521

      SHA1

      9e0bc1d43d8d5c5a97e5e72e473c682802cb092a

      SHA256

      085c4dd097865609fadc4aa87cd7dff89d6aca6b1bbff722abcebcde7828a453

      SHA512

      009973dd7ecc3d24b78b5b4536e9aeb95dee9a34a8f35006423c86cbe6b619d050b1a50a6fa2b28a160842a9738ae7e2934eb6dc30e126530d55afd2b6d1fa8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\B98561\lqqHsAA.dll
      Filesize

      595KB

      MD5

      2f152f59468ec96a89d87c072b9cd521

      SHA1

      9e0bc1d43d8d5c5a97e5e72e473c682802cb092a

      SHA256

      085c4dd097865609fadc4aa87cd7dff89d6aca6b1bbff722abcebcde7828a453

      SHA512

      009973dd7ecc3d24b78b5b4536e9aeb95dee9a34a8f35006423c86cbe6b619d050b1a50a6fa2b28a160842a9738ae7e2934eb6dc30e126530d55afd2b6d1fa8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\B98561\vupJxBJ.dll
      Filesize

      546KB

      MD5

      f60d60bf6a5bc518f0630857d8d602da

      SHA1

      810a18bacb7a2a15f056c7305f1ea4ce8a802c3b

      SHA256

      209b797fb8786e6b60261d3ff2bbfcb8b1cdd9698fe4707ea28f0b475bdec0a8

      SHA512

      9ce67959d703131837e3fe29de4dd945aa6062226a277200974c3567fbc0145b24584c13b68757fe77ce33872c5b5b42f5afc193fe4c0dc3f7e764b1218f155f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\B98561\vupJxBJ.dll
      Filesize

      546KB

      MD5

      f60d60bf6a5bc518f0630857d8d602da

      SHA1

      810a18bacb7a2a15f056c7305f1ea4ce8a802c3b

      SHA256

      209b797fb8786e6b60261d3ff2bbfcb8b1cdd9698fe4707ea28f0b475bdec0a8

      SHA512

      9ce67959d703131837e3fe29de4dd945aa6062226a277200974c3567fbc0145b24584c13b68757fe77ce33872c5b5b42f5afc193fe4c0dc3f7e764b1218f155f

      Download Submit

    • C:\Windows\SysWOW64\091339.bat
      Filesize

      5KB

      MD5

      ad0d80bf6b4292dbada25f7f8fd6556c

      SHA1

      40133d1dea9905bf406fb88efcb57cd693e6cf43

      SHA256

      081f45a04b555b2406e5b63afbcdba4e564c3157e7d3720d21e8f53d2127bae1

      SHA512

      76eaacabecaaed7b4eb53fbc5db4d53b15ccdbe6526119346dc444e932cc1ebfffb74b0df3f54c85168d72082f9017802e9775bc178a58fcac0ab3c1ddb519cb

      Download Submit

    • C:\Windows\SysWOW64\175511.bat
      Filesize

      5KB

      MD5

      ad0d80bf6b4292dbada25f7f8fd6556c

      SHA1

      40133d1dea9905bf406fb88efcb57cd693e6cf43

      SHA256

      081f45a04b555b2406e5b63afbcdba4e564c3157e7d3720d21e8f53d2127bae1

      SHA512

      76eaacabecaaed7b4eb53fbc5db4d53b15ccdbe6526119346dc444e932cc1ebfffb74b0df3f54c85168d72082f9017802e9775bc178a58fcac0ab3c1ddb519cb

      Download Submit

    • C:\Windows\SysWOW64\swKxst.dll
      Filesize

      63KB

      MD5

      fd8d4e1d20d085593e26e4fb879aac1f

      SHA1

      dd233f681bd4807851963736fe4554e152d06793

      SHA256

      39c865da0e189d296eae8838d9240aefadfd63507b070fa0e6803910a51202f3

      SHA512

      dee6185217cf4b9bfc1fb526ec365de67294f8ddeea95eaa5f72628731b52136cc2fa703a84cf35a22a32b870bbeb1f068192336474880c03c879380e7eac317

      Download Submit

    • C:\Windows\Web\CDClient.exe
      Filesize

      727KB

      MD5

      bae36106febed2468b3d14685936ff56

      SHA1

      3bbb2aa6e3fa878bd3aee18a8012073b25687b13

      SHA256

      68733661aa094199142075c2dc58bff437fc689c87123382ccad8fdce21f55db

      SHA512

      a9dc33ea5ef4e5b2a86b16f50ef97d83deb6f4461dd17c666106589126cf00ae4f877d8c2ec3ed5dd5c41c5301567ae790b6ef9b71ffeb7c2ab35fda15d61c36

      Download Submit

    • C:\windows\WEB\CDClient.exe
      Filesize

      727KB

      MD5

      bae36106febed2468b3d14685936ff56

      SHA1

      3bbb2aa6e3fa878bd3aee18a8012073b25687b13

      SHA256

      68733661aa094199142075c2dc58bff437fc689c87123382ccad8fdce21f55db

      SHA512

      a9dc33ea5ef4e5b2a86b16f50ef97d83deb6f4461dd17c666106589126cf00ae4f877d8c2ec3ed5dd5c41c5301567ae790b6ef9b71ffeb7c2ab35fda15d61c36

      Download Submit

    • memory/1116-143-0x0000000000000000-mapping.dmp

      Download

    • memory/3280-132-0x0000000000000000-mapping.dmp

      Download

    • memory/3280-148-0x0000000071B30000-0x0000000071B53000-memory.dmp

      Filesize

      140KB

      Download

    • memory/3676-145-0x0000000000000000-mapping.dmp

      Download

    • memory/3704-146-0x0000000000000000-mapping.dmp

      Download

    • memory/4464-139-0x0000000000000000-mapping.dmp

      Download

    • memory/4976-141-0x0000000000000000-mapping.dmp

      Download

    • memory/5024-142-0x0000000000000000-mapping.dmp

      Download