Overview

overview

8

Static

static

1

3cc16476c3...de.exe

windows7-x64

8

3cc16476c3...de.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    162s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 08:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3cc16476c3a2aac538254a1f1cf58e8d82be587f6b3d0d934642ce4bdc09afde.exe

  • Size

    3.4MB

  • MD5

    2aaaf07dfe5d67a8521b5f25b5b59664

  • SHA1

    4d7d00cfe863ec188aae41d24b7aee28d0ec1c5b

  • SHA256

    3cc16476c3a2aac538254a1f1cf58e8d82be587f6b3d0d934642ce4bdc09afde

  • SHA512

    954d37ea820f7986aa256474b1805147b656fb491e0d7ed975ef82c30311f211b3b2fbbbdcd343be9d56acd0aef1a3ee93309735a34401a4c59bd3bb4532fe71

  • SSDEEP

    49152:d38YCNewREqae79PndEAPywjFkfSNzSUXcPRNwjCGKRQqEW7riNjocCc4qaC:l8XUgPfzZkq19CGbRoclaC

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 9 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 18 IoCs
    installer
  • Modifies Internet Explorer Protected Mode 1 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies registry class 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cc16476c3a2aac538254a1f1cf58e8d82be587f6b3d0d934642ce4bdc09afde.exe
    "C:\Users\Admin\AppData\Local\Temp\3cc16476c3a2aac538254a1f1cf58e8d82be587f6b3d0d934642ce4bdc09afde.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\dllhosts.exe
      "C:\Users\Admin\AppData\Local\Temp\dllhosts.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:2016
    • C:\Users\Admin\AppData\Local\Temp\aspnetstate.exe
      "C:\Users\Admin\AppData\Local\Temp\aspnetstate.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\vleumrqevovx.dll"
        3⤵
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Maps connected drives based on registry
        • Modifies registry class
        PID:528
    • C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1156
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:364

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\aspnetstate.exe
          Filesize

          404KB

          MD5

          f02631a1599d143fa8dfe013df84e211

          SHA1

          8b97ec9f37ea07831d33d9f9dc77f1f00c8c3e89

          SHA256

          2dcda858882bb5d6dab14846ea8846856c124d89ac08cd1eca614b22aa9f1e70

          SHA512

          028a10f5be9b0a78fd407d97e76e4149128417c17c2462da30878add44aad7f0920728614a77c95130b958751cfd5dda91570881901bef34e8b5c9e4c76012bb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\aspnetstate.exe
          Filesize

          404KB

          MD5

          f02631a1599d143fa8dfe013df84e211

          SHA1

          8b97ec9f37ea07831d33d9f9dc77f1f00c8c3e89

          SHA256

          2dcda858882bb5d6dab14846ea8846856c124d89ac08cd1eca614b22aa9f1e70

          SHA512

          028a10f5be9b0a78fd407d97e76e4149128417c17c2462da30878add44aad7f0920728614a77c95130b958751cfd5dda91570881901bef34e8b5c9e4c76012bb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dllhosts.exe
          Filesize

          2.2MB

          MD5

          ff642a552115c04cb28055bdb8f89f14

          SHA1

          f5f0be4f35a1dd498fba0cd7aefdc24756845d8d

          SHA256

          18e401c86523475e1efeb7403e29cd0773bef2e54f130dfca47c1127f09ba6d3

          SHA512

          dbabac3c68e8a8ecaa1c3b9c7d8a10b16c93ed490b76ec18e00821ca20ad433962fea010c0d0b07013d972f43e04ee23a089068c8558655d11ce364957f69f59

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dllhosts.exe
          Filesize

          2.2MB

          MD5

          ff642a552115c04cb28055bdb8f89f14

          SHA1

          f5f0be4f35a1dd498fba0cd7aefdc24756845d8d

          SHA256

          18e401c86523475e1efeb7403e29cd0773bef2e54f130dfca47c1127f09ba6d3

          SHA512

          dbabac3c68e8a8ecaa1c3b9c7d8a10b16c93ed490b76ec18e00821ca20ad433962fea010c0d0b07013d972f43e04ee23a089068c8558655d11ce364957f69f59

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\setup.exe
          Filesize

          834KB

          MD5

          bcffa234109bae73d651be4754dbecb5

          SHA1

          93ac5f9868220843682be9fc351e74446caa4ba1

          SHA256

          91f764e7e17978eaf2e82837c6de8783e815e802a84d3e681ff1153602fcae82

          SHA512

          5022d3156b3dcd8e53a4514e59d26944c2c215ee5018b7739ee2f574995a3a63477ddaf74eba1b0a949a7a3ee9e673c1e2e5c6319b4bcf04a7b2f5ca2b80dd0a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\setup.exe
          Filesize

          834KB

          MD5

          bcffa234109bae73d651be4754dbecb5

          SHA1

          93ac5f9868220843682be9fc351e74446caa4ba1

          SHA256

          91f764e7e17978eaf2e82837c6de8783e815e802a84d3e681ff1153602fcae82

          SHA512

          5022d3156b3dcd8e53a4514e59d26944c2c215ee5018b7739ee2f574995a3a63477ddaf74eba1b0a949a7a3ee9e673c1e2e5c6319b4bcf04a7b2f5ca2b80dd0a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W81OVF6H.txt
          Filesize

          608B

          MD5

          f735a0f456f9677350cbfa1986cc0818

          SHA1

          3961f0c865d8e11512dd280849bf5ba7e3aaeb9f

          SHA256

          90185e2ef157f23e8550672d9881fd4d2108599ee0cbfb5a826838cc96400052

          SHA512

          f83b7194ea9c4185e3bf8738b6b7a8b5490dbc6336953eff1fd20097060c51063b188481e47618f9ee50248ade7a044b1d5350b99ab3415efb0e2c305294ff35

          Download Submit

        • C:\Windows\SysWOW64\vleumrqevovx.dll
          Filesize

          695KB

          MD5

          36caaa3d635ae5ae9612d516b4613186

          SHA1

          b441bf69842ed6254b48ba0db5f4b67685327eb1

          SHA256

          5975f1dd4d6b13d7c2409b4c43119a2df162733c420cc637c1ce74f1f1355354

          SHA512

          4ed4a07f3eeed0cb2e51777856b149911f8eb5b0548123df19db94ba0fcf39b2322cc7576c2de00d3b9c0230267bbefaaadb887a7d4f68bfee60f44b6b0b4b7e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\aspnetstate.exe
          Filesize

          404KB

          MD5

          f02631a1599d143fa8dfe013df84e211

          SHA1

          8b97ec9f37ea07831d33d9f9dc77f1f00c8c3e89

          SHA256

          2dcda858882bb5d6dab14846ea8846856c124d89ac08cd1eca614b22aa9f1e70

          SHA512

          028a10f5be9b0a78fd407d97e76e4149128417c17c2462da30878add44aad7f0920728614a77c95130b958751cfd5dda91570881901bef34e8b5c9e4c76012bb

          Download Submit

        • \Users\Admin\AppData\Local\Temp\dllhosts.exe
          Filesize

          2.2MB

          MD5

          ff642a552115c04cb28055bdb8f89f14

          SHA1

          f5f0be4f35a1dd498fba0cd7aefdc24756845d8d

          SHA256

          18e401c86523475e1efeb7403e29cd0773bef2e54f130dfca47c1127f09ba6d3

          SHA512

          dbabac3c68e8a8ecaa1c3b9c7d8a10b16c93ed490b76ec18e00821ca20ad433962fea010c0d0b07013d972f43e04ee23a089068c8558655d11ce364957f69f59

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsd59F5.tmp\Math.dll
          Filesize

          66KB

          MD5

          b140459077c7c39be4bef249c2f84535

          SHA1

          c56498241c2ddafb01961596da16d08d1b11cd35

          SHA256

          0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

          SHA512

          fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsd59F5.tmp\System.dll
          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsd59F5.tmp\UAC.dll
          Filesize

          17KB

          MD5

          88ad3fd90fc52ac3ee0441a38400a384

          SHA1

          08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

          SHA256

          e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

          SHA512

          359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsd59F5.tmp\UAC.dll
          Filesize

          17KB

          MD5

          88ad3fd90fc52ac3ee0441a38400a384

          SHA1

          08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

          SHA256

          e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

          SHA512

          359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsd59F5.tmp\UAC.dll
          Filesize

          17KB

          MD5

          88ad3fd90fc52ac3ee0441a38400a384

          SHA1

          08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

          SHA256

          e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

          SHA512

          359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nso5B1D.tmp\System.dll
          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nso5B1D.tmp\System.dll
          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nst68B5.tmp.dll
          Filesize

          695KB

          MD5

          36caaa3d635ae5ae9612d516b4613186

          SHA1

          b441bf69842ed6254b48ba0db5f4b67685327eb1

          SHA256

          5975f1dd4d6b13d7c2409b4c43119a2df162733c420cc637c1ce74f1f1355354

          SHA512

          4ed4a07f3eeed0cb2e51777856b149911f8eb5b0548123df19db94ba0fcf39b2322cc7576c2de00d3b9c0230267bbefaaadb887a7d4f68bfee60f44b6b0b4b7e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\setup.exe
          Filesize

          834KB

          MD5

          bcffa234109bae73d651be4754dbecb5

          SHA1

          93ac5f9868220843682be9fc351e74446caa4ba1

          SHA256

          91f764e7e17978eaf2e82837c6de8783e815e802a84d3e681ff1153602fcae82

          SHA512

          5022d3156b3dcd8e53a4514e59d26944c2c215ee5018b7739ee2f574995a3a63477ddaf74eba1b0a949a7a3ee9e673c1e2e5c6319b4bcf04a7b2f5ca2b80dd0a

          Download Submit

        • \Users\Admin\AppData\Local\Temp\setup.exe
          Filesize

          834KB

          MD5

          bcffa234109bae73d651be4754dbecb5

          SHA1

          93ac5f9868220843682be9fc351e74446caa4ba1

          SHA256

          91f764e7e17978eaf2e82837c6de8783e815e802a84d3e681ff1153602fcae82

          SHA512

          5022d3156b3dcd8e53a4514e59d26944c2c215ee5018b7739ee2f574995a3a63477ddaf74eba1b0a949a7a3ee9e673c1e2e5c6319b4bcf04a7b2f5ca2b80dd0a

          Download Submit

        • \Users\Admin\AppData\Local\Temp\setup.exe
          Filesize

          834KB

          MD5

          bcffa234109bae73d651be4754dbecb5

          SHA1

          93ac5f9868220843682be9fc351e74446caa4ba1

          SHA256

          91f764e7e17978eaf2e82837c6de8783e815e802a84d3e681ff1153602fcae82

          SHA512

          5022d3156b3dcd8e53a4514e59d26944c2c215ee5018b7739ee2f574995a3a63477ddaf74eba1b0a949a7a3ee9e673c1e2e5c6319b4bcf04a7b2f5ca2b80dd0a

          Download Submit

        • \Users\Admin\AppData\Local\Temp\setup.exe
          Filesize

          834KB

          MD5

          bcffa234109bae73d651be4754dbecb5

          SHA1

          93ac5f9868220843682be9fc351e74446caa4ba1

          SHA256

          91f764e7e17978eaf2e82837c6de8783e815e802a84d3e681ff1153602fcae82

          SHA512

          5022d3156b3dcd8e53a4514e59d26944c2c215ee5018b7739ee2f574995a3a63477ddaf74eba1b0a949a7a3ee9e673c1e2e5c6319b4bcf04a7b2f5ca2b80dd0a

          Download Submit

        • \Windows\SysWOW64\3afeb524.dll
          Filesize

          2.6MB

          MD5

          3a8596359f3a788179aed1883f6b6dc3

          SHA1

          51cc1e635fceb6306536c8a7fe22d42e97fd1de5

          SHA256

          1e5823b5eba4d35f9175cc121ac5467b1c3ae23e5a58cd702c5f4d5adeede240

          SHA512

          7346e4a0f0d545109423fd15a9ee2792805413e81f4aacf43e65980e46c23b4270590ddd08ef3494e54470771afb951ca7b2118ba37b4b5158150c426dabdb35

          Download Submit

        • memory/1684-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2016-69-0x0000000000BC0000-0x0000000000BDA000-memory.dmp

          Filesize

          104KB

          Download