Overview

overview

8

Static

static

1

e70c1a5300...80.exe

windows7-x64

8

e70c1a5300...80.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    154s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e70c1a53008357fab3e236ff47f570cda3ee289199a72b799ab1ad3cb1044680.exe

  • Size

    689KB

  • MD5

    4e8c12dd138ba44b76075a668578360d

  • SHA1

    6e2cb4d2b422d6a70017b8e6f3f0c80b9844456b

  • SHA256

    e70c1a53008357fab3e236ff47f570cda3ee289199a72b799ab1ad3cb1044680

  • SHA512

    caacb35890bce8d51e549b92c1c7268c413ae26d73d4d04c9031130ffcb3b8184e7f74d17bccfed4bb60255450edd395d60f4141bc2d0143f887855f20db7b81

  • SSDEEP

    12288:p17DgB2IjHVG4G4Y7jeKuVnvon+N83LwwiAn6KkM33nxDbjeKuV4vPD+N82Lwwim:p1QoO1G4G37tUnvone83Z76bMHxPtU4u

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 56 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e70c1a53008357fab3e236ff47f570cda3ee289199a72b799ab1ad3cb1044680.exe
    "C:\Users\Admin\AppData\Local\Temp\e70c1a53008357fab3e236ff47f570cda3ee289199a72b799ab1ad3cb1044680.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha5885\ie\TrustMediaViewerV1alpha5885.dll" /s
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:1408
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha5885\ie\TrustMediaViewerV1alpha5885x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha5885\ie\TrustMediaViewerV1alpha5885x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies registry class
        PID:4424
    • C:\Windows\SysWOW64\gpupdate.exe
      "C:\Windows\System32\gpupdate.exe" /force
      2⤵
        PID:2348
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:4848
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
        1⤵
          PID:4824

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha5885\ie\TrustMediaViewerV1alpha5885.dll
          Filesize

          85KB

          MD5

          4240ea02a10d0f19f3686279f9dd2d94

          SHA1

          f848db8db3c4b9a83a39d59f6d7c785c0586ecd3

          SHA256

          f7fd0d47777dfca9ec2071579a61bcb001c5cfd850405b06f133866cfd302581

          SHA512

          9b93ed81088e13d7c79e174d429c6270b6d51c96f69d13d3e851e091f9fa515632d9f16a52dc1c63bb51bd6f932527d60a659625670a3128d69974eb1bd4642a

          Download Submit

        • C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha5885\ie\TrustMediaViewerV1alpha5885.dll
          Filesize

          85KB

          MD5

          4240ea02a10d0f19f3686279f9dd2d94

          SHA1

          f848db8db3c4b9a83a39d59f6d7c785c0586ecd3

          SHA256

          f7fd0d47777dfca9ec2071579a61bcb001c5cfd850405b06f133866cfd302581

          SHA512

          9b93ed81088e13d7c79e174d429c6270b6d51c96f69d13d3e851e091f9fa515632d9f16a52dc1c63bb51bd6f932527d60a659625670a3128d69974eb1bd4642a

          Download Submit

        • C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha5885\ie\TrustMediaViewerV1alpha5885x64.dll
          Filesize

          100KB

          MD5

          f04bea75fe81dff9f6d69703f4f9fa8f

          SHA1

          8c6a6b4f1446107582a03253a5106f6997d46ca0

          SHA256

          d32013e0cc17a144878a096b0e2d815d3c9d297015bd85fab40b68e2c8f68a01

          SHA512

          60e0df5031fed97326e1d1565f42c0d3a2ccfd419731385e539069c5cacf4ffad41d9f5c98b710e06cd0a165a0c7baf513ded7dba4a56de726b3a1a6957c5ee6

          Download Submit

        • C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha5885\ie\TrustMediaViewerV1alpha5885x64.dll
          Filesize

          100KB

          MD5

          f04bea75fe81dff9f6d69703f4f9fa8f

          SHA1

          8c6a6b4f1446107582a03253a5106f6997d46ca0

          SHA256

          d32013e0cc17a144878a096b0e2d815d3c9d297015bd85fab40b68e2c8f68a01

          SHA512

          60e0df5031fed97326e1d1565f42c0d3a2ccfd419731385e539069c5cacf4ffad41d9f5c98b710e06cd0a165a0c7baf513ded7dba4a56de726b3a1a6957c5ee6

          Download Submit

        • C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha5885\ie\TrustMediaViewerV1alpha5885x64.dll
          Filesize

          100KB

          MD5

          f04bea75fe81dff9f6d69703f4f9fa8f

          SHA1

          8c6a6b4f1446107582a03253a5106f6997d46ca0

          SHA256

          d32013e0cc17a144878a096b0e2d815d3c9d297015bd85fab40b68e2c8f68a01

          SHA512

          60e0df5031fed97326e1d1565f42c0d3a2ccfd419731385e539069c5cacf4ffad41d9f5c98b710e06cd0a165a0c7baf513ded7dba4a56de726b3a1a6957c5ee6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsjAAEC.tmp\System.dll
          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsjAAEC.tmp\aminsis.dll
          Filesize

          567KB

          MD5

          f346047b13f37f79c462e59a6319faa1

          SHA1

          ce9e7cb9719000a69b463fe024c81229e322279f

          SHA256

          e78e0e61707cabec8383f1e74da9db8e0fa123a3a7b36f0080d70fbaed6f7453

          SHA512

          429209cc489ba9ac2d62055b128efb3cded3e31f966c7cdb1aee592ec7a54ab090526705fa2519498d92eb4bc2efa141cd83adc6c251b793388ad1208b172167

          Download Submit