Overview

overview

9

Static

static

ace77775f9...a7.exe

windows7-x64

9

ace77775f9...a7.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    7s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ace77775f97ad3861e7c9798238eec3fa886ea2d1a935480bdbe68eb650390a7.exe

  • Size

    20KB

  • MD5

    8560a8a5b4b8a720badefcecf4c2d719

  • SHA1

    a252844a11605fd629f0b86573d4eb9917f3e95b

  • SHA256

    ace77775f97ad3861e7c9798238eec3fa886ea2d1a935480bdbe68eb650390a7

  • SHA512

    7dd8eb82e8f09ad127559563699f6248f67197e1f66ff1b53c5ef589335556047314ce7741839cdab574356d2fe285aa43342444207c96876e70c4bd3947ad29

  • SSDEEP

    384:tnWCLdfkSFunjQudSkLgAL1ozYFOeLH2G:tWgJFuncudBMAL1ouOeH2G

Score
9/10
adwarestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ace77775f97ad3861e7c9798238eec3fa886ea2d1a935480bdbe68eb650390a7.exe
    "C:\Users\Admin\AppData\Local\Temp\ace77775f97ad3861e7c9798238eec3fa886ea2d1a935480bdbe68eb650390a7.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\system32\mstu.dll
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:1684
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
      • Deletes itself
      PID:1924

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\mstu.dll
    Filesize

    11KB

    MD5

    6c41347d34f49fe4eb76e7d78c0663f9

    SHA1

    034d7243596728a39053dbc29fbfad1c2ffe5ab6

    SHA256

    77f54f0dd6f77a6dd5bb23aa774a286c36a98125891a505e26685f3a876c67d1

    SHA512

    efc5f938dd92e3767f6e1d8dd78efbb49ea9573a15cce70974f146f444da42a84725ead58c1bbdb7ad2e9eba38c3adb09f261dc2649e0a6855f4706d7e2cb3f0

    Download Submit

  • \Windows\SysWOW64\mstu.dll
    Filesize

    11KB

    MD5

    6c41347d34f49fe4eb76e7d78c0663f9

    SHA1

    034d7243596728a39053dbc29fbfad1c2ffe5ab6

    SHA256

    77f54f0dd6f77a6dd5bb23aa774a286c36a98125891a505e26685f3a876c67d1

    SHA512

    efc5f938dd92e3767f6e1d8dd78efbb49ea9573a15cce70974f146f444da42a84725ead58c1bbdb7ad2e9eba38c3adb09f261dc2649e0a6855f4706d7e2cb3f0

    Download Submit

  • memory/1020-54-0x0000000000401000-0x0000000000403000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1684-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1684-56-0x0000000075571000-0x0000000075573000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1924-59-0x00000000004F0EFA-mapping.dmp

    Download

  • memory/1924-61-0x00000000745D1000-0x00000000745D3000-memory.dmp

    Filesize

    8KB

    Download