Overview

overview

8

Static

static

bc313b0f2a...58.exe

windows7-x64

8

bc313b0f2a...58.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc313b0f2ab37c9c5acb7a1aaa8f24b8c0b8d1ca5f3484a0ace24eb8c6098c58.exe

  • Size

    4.0MB

  • MD5

    6f123c94ae74a44dddbab0b9e523caa5

  • SHA1

    1518ffb5bb71641f2bbeb481c243622e30100cc8

  • SHA256

    bc313b0f2ab37c9c5acb7a1aaa8f24b8c0b8d1ca5f3484a0ace24eb8c6098c58

  • SHA512

    7c8414e0dbce799c22b701bffdf0960607cb54226954a841fb8092e4da99e3db874da2f6f60f1cdaaa5667a7e0b9408564b5900f983322eb812a8f3f1a7a48ae

  • SSDEEP

    98304:RS5tXfs4xrC6DpIHq73aj9EnL6F5a+OTCoofFLpVT:Ry9r0uXotz

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc313b0f2ab37c9c5acb7a1aaa8f24b8c0b8d1ca5f3484a0ace24eb8c6098c58.exe
    "C:\Users\Admin\AppData\Local\Temp\bc313b0f2ab37c9c5acb7a1aaa8f24b8c0b8d1ca5f3484a0ace24eb8c6098c58.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:5048
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\TTInyWalleett\mX2JzD9h7gGJpN.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\TTInyWalleett\mX2JzD9h7gGJpN.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:4800
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:968
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:3148

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\TTInyWalleett\mX2JzD9h7gGJpN.dat
        Filesize

        4KB

        MD5

        328e8f664a703e666f767977090be67a

        SHA1

        53f2c5dc9f8e2792e684a312dc9c1bd536d480b7

        SHA256

        130fc6b46c8d1af9546c4a5a15992a156b3223ac97e332fb9ff7d7e444dedeea

        SHA512

        97903d46557241c1307714f80cf97544da77cf13fca46aef0b8cc00399c55dec483eb2f07f394e784ad7317d678ea9dca24e94fd5872af3fcc0967a624711d97

        Download Submit

      • C:\Program Files (x86)\TTInyWalleett\mX2JzD9h7gGJpN.dll
        Filesize

        622KB

        MD5

        8a05c343e6e5fed3c750b3d9d0066ebb

        SHA1

        22d39fe1637510c4468e9c69081f288a107b8da1

        SHA256

        4acb52ac42bd0fd0e98752d4b0c24f1922f7baf7449b88c3c431958c374b8392

        SHA512

        35e3eecbb0dbc125e0dace43cba58151b5fbb6bc627075674195ca7fe2a577f3662fc969e9b1eb3aed1ca2028c16ef36b95dec27b4fe44e7f8ded1d3d78e12d1

        Download Submit

      • C:\Program Files (x86)\TTInyWalleett\mX2JzD9h7gGJpN.tlb
        Filesize

        3KB

        MD5

        f97b95a2c07b6c926106d4e9e110f93b

        SHA1

        6b76b71705374f84d81add54fad98b6fccd78c69

        SHA256

        3dca6f9ef4c0fa2d4511ee991298a97b5847720161efb3388b5dfe28694a0a97

        SHA512

        8d2b262861d126af9874c63e890b7f963a5823825ac4479e7ea917bf6ba1bbc49ec5d7da1c0cfa79deac6ae763be38799b99e76cbe744efd9d4cc018549f225c

        Download Submit

      • C:\Program Files (x86)\TTInyWalleett\mX2JzD9h7gGJpN.x64.dll
        Filesize

        701KB

        MD5

        b30d08f15639c7642e6bba8187911fe9

        SHA1

        6f79350773fde83fef1b82607da0835d01a27e2a

        SHA256

        e13f07d2edc163c163511604bd7e94068839f8b39f1f14f2ed048b84a2a47954

        SHA512

        a1c350a84992d9d7ca245a0cb06150b4fddadcca3c4d9a80368c07454c35972a5beea5fb8fcecafbdf2ad9f694b68d85724c3b7476c2c52280832f35b06d852a

        Download Submit

      • C:\Program Files (x86)\TTInyWalleett\mX2JzD9h7gGJpN.x64.dll
        Filesize

        701KB

        MD5

        b30d08f15639c7642e6bba8187911fe9

        SHA1

        6f79350773fde83fef1b82607da0835d01a27e2a

        SHA256

        e13f07d2edc163c163511604bd7e94068839f8b39f1f14f2ed048b84a2a47954

        SHA512

        a1c350a84992d9d7ca245a0cb06150b4fddadcca3c4d9a80368c07454c35972a5beea5fb8fcecafbdf2ad9f694b68d85724c3b7476c2c52280832f35b06d852a

        Download Submit

      • C:\Program Files (x86)\TTInyWalleett\mX2JzD9h7gGJpN.x64.dll
        Filesize

        701KB

        MD5

        b30d08f15639c7642e6bba8187911fe9

        SHA1

        6f79350773fde83fef1b82607da0835d01a27e2a

        SHA256

        e13f07d2edc163c163511604bd7e94068839f8b39f1f14f2ed048b84a2a47954

        SHA512

        a1c350a84992d9d7ca245a0cb06150b4fddadcca3c4d9a80368c07454c35972a5beea5fb8fcecafbdf2ad9f694b68d85724c3b7476c2c52280832f35b06d852a

        Download Submit

      • memory/4800-141-0x0000000000000000-mapping.dmp

        Download

      • memory/4980-138-0x0000000000000000-mapping.dmp

        Download

      • memory/5048-132-0x0000000001320000-0x00000000013C4000-memory.dmp

        Filesize

        656KB

        Download