Overview

overview

9

Static

static

89897675e7...da.exe

windows7-x64

9

89897675e7...da.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    41s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 05:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe

  • Size

    69KB

  • MD5

    59de701fe87acd8863e5175d6f33cd1b

  • SHA1

    04795374816358bbdd9015ba77abdc1ca6a84065

  • SHA256

    89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda

  • SHA512

    11315ae8778f1f713979106668a2b5945bab6e8ad28d0ed7f0be2a7113b23c4851470730938dc74a378c482de9c7365f128233ce725f5af7668aad83cdf903ba

  • SSDEEP

    1536:2lB+r9Byk/wG4N94T0rXJx3aGGRWoHMEEFEo6:+B+rqltgHMEEFEo6

Score
9/10
adwarestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 6 IoCs

    Detects file using ACProtect software.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe
    "C:\Users\Admin\AppData\Local\Temp\89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe"
    1⤵
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" savec32.dll,InitDll
      2⤵
      • Loads dropped DLL
      PID:1080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\898976~1.EXE >> NUL
      2⤵
      • Deletes itself
      PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\savec32.dll
    Filesize

    44KB

    MD5

    a7e9dd508c1ed1e7b4af7f1507e9bac5

    SHA1

    8c9850e485a42fab8d65bdd4a5c3a014715b3406

    SHA256

    88ef17464130d253535a353e5eea57c5156334533500edbf15280f31d49be3b4

    SHA512

    c1ddbbeae9e5767c7035739d461ad552f5371c0514d1c149e79b1091a6d27f2ceefe19ca48e4e508c9718998a806e5a9e66ecfec81292a21d7993529a9503f94

    Download Submit
  • \Windows\SysWOW64\savec32.dll
    Filesize

    44KB

    MD5

    a7e9dd508c1ed1e7b4af7f1507e9bac5

    SHA1

    8c9850e485a42fab8d65bdd4a5c3a014715b3406

    SHA256

    88ef17464130d253535a353e5eea57c5156334533500edbf15280f31d49be3b4

    SHA512

    c1ddbbeae9e5767c7035739d461ad552f5371c0514d1c149e79b1091a6d27f2ceefe19ca48e4e508c9718998a806e5a9e66ecfec81292a21d7993529a9503f94

    Download Submit
  • \Windows\SysWOW64\savec32.dll
    Filesize

    44KB

    MD5

    a7e9dd508c1ed1e7b4af7f1507e9bac5

    SHA1

    8c9850e485a42fab8d65bdd4a5c3a014715b3406

    SHA256

    88ef17464130d253535a353e5eea57c5156334533500edbf15280f31d49be3b4

    SHA512

    c1ddbbeae9e5767c7035739d461ad552f5371c0514d1c149e79b1091a6d27f2ceefe19ca48e4e508c9718998a806e5a9e66ecfec81292a21d7993529a9503f94

    Download Submit
  • \Windows\SysWOW64\savec32.dll
    Filesize

    44KB

    MD5

    a7e9dd508c1ed1e7b4af7f1507e9bac5

    SHA1

    8c9850e485a42fab8d65bdd4a5c3a014715b3406

    SHA256

    88ef17464130d253535a353e5eea57c5156334533500edbf15280f31d49be3b4

    SHA512

    c1ddbbeae9e5767c7035739d461ad552f5371c0514d1c149e79b1091a6d27f2ceefe19ca48e4e508c9718998a806e5a9e66ecfec81292a21d7993529a9503f94

    Download Submit
  • \Windows\SysWOW64\savec32.dll
    Filesize

    44KB

    MD5

    a7e9dd508c1ed1e7b4af7f1507e9bac5

    SHA1

    8c9850e485a42fab8d65bdd4a5c3a014715b3406

    SHA256

    88ef17464130d253535a353e5eea57c5156334533500edbf15280f31d49be3b4

    SHA512

    c1ddbbeae9e5767c7035739d461ad552f5371c0514d1c149e79b1091a6d27f2ceefe19ca48e4e508c9718998a806e5a9e66ecfec81292a21d7993529a9503f94

    Download Submit
  • memory/268-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1080-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1080-63-0x0000000020000000-0x0000000020023000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1080-64-0x0000000020000000-0x0000000020023000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1080-65-0x0000000020000000-0x0000000020023000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1360-54-0x0000000075091000-0x0000000075093000-memory.dmp
    Filesize

    8KB

    Download