Overview

overview

9

Static

static

89897675e7...da.exe

windows7-x64

9

89897675e7...da.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    182s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 05:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe

  • Size

    69KB

  • MD5

    59de701fe87acd8863e5175d6f33cd1b

  • SHA1

    04795374816358bbdd9015ba77abdc1ca6a84065

  • SHA256

    89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda

  • SHA512

    11315ae8778f1f713979106668a2b5945bab6e8ad28d0ed7f0be2a7113b23c4851470730938dc74a378c482de9c7365f128233ce725f5af7668aad83cdf903ba

  • SSDEEP

    1536:2lB+r9Byk/wG4N94T0rXJx3aGGRWoHMEEFEo6:+B+rqltgHMEEFEo6

Score
9/10
adwarepersistencestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe
    "C:\Users\Admin\AppData\Local\Temp\89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe"
    1⤵
    • Checks computer location settings
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" savec32.dll,InitDll
      2⤵
      • Modifies Installed Components in the registry
      • Loads dropped DLL
      PID:4248
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\898976~1.EXE >> NUL
      2⤵
        PID:4368

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Browser Extensions

    1
    T1176

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\savec32.dll
      Filesize

      44KB

      MD5

      a7e9dd508c1ed1e7b4af7f1507e9bac5

      SHA1

      8c9850e485a42fab8d65bdd4a5c3a014715b3406

      SHA256

      88ef17464130d253535a353e5eea57c5156334533500edbf15280f31d49be3b4

      SHA512

      c1ddbbeae9e5767c7035739d461ad552f5371c0514d1c149e79b1091a6d27f2ceefe19ca48e4e508c9718998a806e5a9e66ecfec81292a21d7993529a9503f94

      Download Submit
    • C:\Windows\SysWOW64\savec32.dll
      Filesize

      44KB

      MD5

      a7e9dd508c1ed1e7b4af7f1507e9bac5

      SHA1

      8c9850e485a42fab8d65bdd4a5c3a014715b3406

      SHA256

      88ef17464130d253535a353e5eea57c5156334533500edbf15280f31d49be3b4

      SHA512

      c1ddbbeae9e5767c7035739d461ad552f5371c0514d1c149e79b1091a6d27f2ceefe19ca48e4e508c9718998a806e5a9e66ecfec81292a21d7993529a9503f94

      Download Submit
    • memory/4248-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4248-136-0x0000000020000000-0x0000000020023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/4368-133-0x0000000000000000-mapping.dmp
      Download