Overview

overview

8

Static

static

c1157c96d3...14.exe

windows7-x64

8

c1157c96d3...14.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    166s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 21:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1157c96d3f91dd1c71b6d3572a63ef6da2eec0981a8a54f36487f24e9421814.exe

  • Size

    1.9MB

  • MD5

    90d63f01ac77504bb55cbfd72e8ba186

  • SHA1

    f70b569e9c29684b36e4241f36b463f9d6aa03a2

  • SHA256

    c1157c96d3f91dd1c71b6d3572a63ef6da2eec0981a8a54f36487f24e9421814

  • SHA512

    5b855c8ab7438b703cb21146318ef6f0fbe0b408d74eff287e003a90c072e924cc1af2ca7cc9623fbc38df72db4ab8c84aa8cd6094845d4fdb30c8cec3a47b54

  • SSDEEP

    49152:GwHv9lt/SgRIpVQIIFJxGfVSDiQAU4KzPZTm19Gkt/:GwVlxSgRUKhGfApAUPz1mzGkt/

Score
8/10
adwareaspackv2discoverypersistencestealer

Malware Config

Signatures

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 45 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1157c96d3f91dd1c71b6d3572a63ef6da2eec0981a8a54f36487f24e9421814.exe
    "C:\Users\Admin\AppData\Local\Temp\c1157c96d3f91dd1c71b6d3572a63ef6da2eec0981a8a54f36487f24e9421814.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Windows\SysWOW64\searchgoosginst.exe
      C:\Windows\system32\searchgoosginst.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Program Files (x86)\searchgoosg\serkle.exe
        "C:\Program Files (x86)\searchgoosg\serkle.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2748

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\searchgoosg\searchgoosg.dll
    Filesize

    123KB

    MD5

    e8b4bf324251922a7fb629a140b214b2

    SHA1

    419a66e8841d4fc1bd15b0a95c9afb778e54566b

    SHA256

    ad6bca5dd0092942fc7bf6020a40fe5e68f826ea9599d21225b1159532ca7114

    SHA512

    3604352022fad3fe92975205221a91a85be1a8184fb244f57ecb52a1b5611fb353e156522411d812f500058d57793903b81e22cc8bd504ffd9646ebaff46f79d

    Download Submit

  • C:\Program Files (x86)\searchgoosg\serkle.exe
    Filesize

    1.2MB

    MD5

    c0d559d1d7b5607179f142b53bb11c79

    SHA1

    5f059c4fbbe790f1e54c4ac53353b07e41854c59

    SHA256

    b8d8d0f5752d070607d695a1196f0e38e7991f34c83cdb6858b9c4f075a06184

    SHA512

    a85989ad9560166ff1ffbd73bc3b0515c93ead1350c588c72739d06642ea79b3677cf06b1e2f6f545657c4d7a4fa4d47a988dfd3980611a7b853f4c44c478f67

    Download Submit

  • C:\Program Files (x86)\searchgoosg\serkle.exe
    Filesize

    1.2MB

    MD5

    c0d559d1d7b5607179f142b53bb11c79

    SHA1

    5f059c4fbbe790f1e54c4ac53353b07e41854c59

    SHA256

    b8d8d0f5752d070607d695a1196f0e38e7991f34c83cdb6858b9c4f075a06184

    SHA512

    a85989ad9560166ff1ffbd73bc3b0515c93ead1350c588c72739d06642ea79b3677cf06b1e2f6f545657c4d7a4fa4d47a988dfd3980611a7b853f4c44c478f67

    Download Submit

  • C:\Windows\SysWOW64\searchgoosginst.exe
    Filesize

    1.8MB

    MD5

    6fb4ee2d4197eb0a9d36108569a01219

    SHA1

    74f516d60430f187dbadc77327ac5f3a34423f01

    SHA256

    f5f48954e71b613b69eabf2cba550c7ada448fbb49d353d00f25e000559d7253

    SHA512

    f580c9d9e8c57b92dec34bc43c6c9002d5dd1c504797b4bbbf00467c3e4af07053c1a0e5f5918ad02495b4e6e1f16b3e8b9c4fc05b3bf1caa5481f9ec3b26407

    Download Submit

  • C:\Windows\SysWOW64\searchgoosginst.exe
    Filesize

    1.8MB

    MD5

    6fb4ee2d4197eb0a9d36108569a01219

    SHA1

    74f516d60430f187dbadc77327ac5f3a34423f01

    SHA256

    f5f48954e71b613b69eabf2cba550c7ada448fbb49d353d00f25e000559d7253

    SHA512

    f580c9d9e8c57b92dec34bc43c6c9002d5dd1c504797b4bbbf00467c3e4af07053c1a0e5f5918ad02495b4e6e1f16b3e8b9c4fc05b3bf1caa5481f9ec3b26407

    Download Submit

  • memory/1368-132-0x0000000000000000-mapping.dmp

    Download

  • memory/2748-136-0x0000000000000000-mapping.dmp

    Download

  • memory/2748-139-0x0000000000400000-0x00000000007F1000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2748-140-0x0000000000400000-0x00000000007F1000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2748-141-0x0000000000400000-0x00000000007F1000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2748-142-0x0000000000400000-0x00000000007F1000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2748-143-0x0000000000400000-0x00000000007F1000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2748-144-0x0000000000400000-0x00000000007F1000-memory.dmp

    Filesize

    3.9MB

    Download