Overview

overview

8

Static

static

a95f207ca6...8b.exe

windows7-x64

8

a95f207ca6...8b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    176s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b.exe

  • Size

    6.9MB

  • MD5

    76827e19ac4b6c300c8bc37754b321a9

  • SHA1

    60f1144731e4e8e98d22a59df821256307c26364

  • SHA256

    a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b

  • SHA512

    beb2072de102d2d4d5925bd63925faa00828ad5e14f152d01544902e58293fb012991b6c614c3ff87c0928f4782b02f0302faff0f9fc0c672f4a9a1793bbc81b

  • SSDEEP

    196608:CZXBJmubSsk25nnATnJpk789JENi1OudYjinaOB:ePD2sbngnXk77rudzn5B

Score
8/10
adwarediscoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Modifies Windows Firewall 1 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b.exe
    "C:\Users\Admin\AppData\Local\Temp\a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Users\Admin\AppData\Local\Temp\1b310c37f05a6f303d844b7dc01a0c07.exe
      "C:\Users\Admin\AppData\Local\Temp\1b310c37f05a6f303d844b7dc01a0c07.exe" /c mailru
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Users\Admin\AppData\Local\Temp\b480a56c680cb6c11e0432fdb759915f1.exe
        "C:\Users\Admin\AppData\Local\Temp\b480a56c680cb6c11e0432fdb759915f1.exe" /uninstall /silent
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" firewall delete allowedprogram "SputnikHelper.exe"
          4⤵
          • Modifies Windows Firewall
          PID:1384
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" firewall delete allowedprogram "SputnikFlashPlayer.exe"
          4⤵
          • Modifies Windows Firewall
          PID:4372
      • C:\Users\Admin\AppData\Local\Temp\b480a56c680cb6c11e0432fdb759915f2.exe
        "C:\Users\Admin\AppData\Local\Temp\b480a56c680cb6c11e0432fdb759915f2.exe" /silent /rfr=openpr /mpcln=9516 /partner_new_url=http://smstransfers.net/toolbar.php?id=3930&file_id=343303&guid=$__GUID&sig=$__SIG
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Installs/modifies Browser Helper Object
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4576
        • C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe
          "C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe" /RegServer
          4⤵
          • Executes dropped EXE
          • Modifies registry class
          PID:1932
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe" "C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe" ENABLE ALL
          4⤵
          • Modifies Windows Firewall
          PID:1036
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikFlashPlayer.exe" "C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikFlashPlayer.exe" ENABLE ALL
          4⤵
          • Modifies Windows Firewall
          PID:3284
        • C:\Users\Admin\AppData\Local\Temp\GuardMailRu.exe
          "C:\Users\Admin\AppData\Local\Temp\GuardMailRu.exe" /INSTALL2 /LANG=ru /GUID={8E5A2595-3F79-41FF-A289-A56B84C738BF}
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4180
          • C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe
            "C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe" /gui
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1420
  • C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe
    "C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    PID:3420

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe
    Filesize

    1.6MB

    MD5

    4e808bd83cc5ecf45163fc7942657a1a

    SHA1

    35cf5e55111a95a8d67f14d6efe80f46c240159a

    SHA256

    a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

    SHA512

    4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

    Download Submit

  • C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe
    Filesize

    1.6MB

    MD5

    4e808bd83cc5ecf45163fc7942657a1a

    SHA1

    35cf5e55111a95a8d67f14d6efe80f46c240159a

    SHA256

    a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

    SHA512

    4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

    Download Submit

  • C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe
    Filesize

    1.6MB

    MD5

    4e808bd83cc5ecf45163fc7942657a1a

    SHA1

    35cf5e55111a95a8d67f14d6efe80f46c240159a

    SHA256

    a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

    SHA512

    4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

    Download Submit

  • C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik.dll
    Filesize

    1.5MB

    MD5

    56d85d7003505c771b2e9dbde94cc198

    SHA1

    8a4415d69ac95281fb8ed7b23f5ef8ac7f2987d1

    SHA256

    0d90251790d8886dedb79129a8cdfad69b44675cfe6f7c4924f69bdff18f69e0

    SHA512

    113c511dbe49a61ebcedf9900adf814039be639392f7408d581b7e80448cd6881985a4649b8d9ac9998d835d3c3bc5a3164d6a91a9ba5dae84aaab38376acd27

    Download Submit

  • C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik.dll
    Filesize

    1.5MB

    MD5

    56d85d7003505c771b2e9dbde94cc198

    SHA1

    8a4415d69ac95281fb8ed7b23f5ef8ac7f2987d1

    SHA256

    0d90251790d8886dedb79129a8cdfad69b44675cfe6f7c4924f69bdff18f69e0

    SHA512

    113c511dbe49a61ebcedf9900adf814039be639392f7408d581b7e80448cd6881985a4649b8d9ac9998d835d3c3bc5a3164d6a91a9ba5dae84aaab38376acd27

    Download Submit

  • C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik.dll
    Filesize

    1.5MB

    MD5

    56d85d7003505c771b2e9dbde94cc198

    SHA1

    8a4415d69ac95281fb8ed7b23f5ef8ac7f2987d1

    SHA256

    0d90251790d8886dedb79129a8cdfad69b44675cfe6f7c4924f69bdff18f69e0

    SHA512

    113c511dbe49a61ebcedf9900adf814039be639392f7408d581b7e80448cd6881985a4649b8d9ac9998d835d3c3bc5a3164d6a91a9ba5dae84aaab38376acd27

    Download Submit

  • C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikFlashPlayer.exe
    Filesize

    702KB

    MD5

    8f73724c3cdc2f735e448aa950a5908a

    SHA1

    be803a6d3e2b4f28f14869f198a67c3cad81246d

    SHA256

    16e4788811c91608db8ec06b02d0de955557c88d8b6f2c16e54f6b863aecbe2a

    SHA512

    ffbc21e390e9109e7370a305aa4027ae294d5173a4ec792c2acb70027ecd6a13c6cd0de10b90e8092289939a392a7b8511e2567d8bc6fade72e19df11b052b54

    Download Submit

  • C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe
    Filesize

    263KB

    MD5

    087f605952660f57198f90625324dba1

    SHA1

    2e1e5f0132c7bc6df36cde8debfc6fa7adfb6b54

    SHA256

    52c532141e36ddbfe58424781827f8996b18a86fdf6d088f95fe063cf9c4f4cd

    SHA512

    38e2d5ff20f814c94d5abe5f3b53f8480c64f78e2e2b57ce864d421f9fece1fc04c093ceee1449bde66392894bd7c07d25e4692a4c0337f05fd021e7f5fff103

    Download Submit

  • C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe
    Filesize

    263KB

    MD5

    087f605952660f57198f90625324dba1

    SHA1

    2e1e5f0132c7bc6df36cde8debfc6fa7adfb6b54

    SHA256

    52c532141e36ddbfe58424781827f8996b18a86fdf6d088f95fe063cf9c4f4cd

    SHA512

    38e2d5ff20f814c94d5abe5f3b53f8480c64f78e2e2b57ce864d421f9fece1fc04c093ceee1449bde66392894bd7c07d25e4692a4c0337f05fd021e7f5fff103

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
    Filesize

    9KB

    MD5

    f42cdab2210d9a340f758cb8843dcac5

    SHA1

    626d020e25676d3436ccfa056c38ebb332208479

    SHA256

    501abb44e1a98f70920a0ecccd8ee76b3d48e87b8b2c550a61dcbeb10f53d59e

    SHA512

    52d569b17559fe68758fc8f99832005c8524d5d43e62eff7a40fd576094cd21cf143404b69a7909fe2eeb26bdbfe5a44af82990a2a8a78d5b02d49cc7ce05a61

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1b310c37f05a6f303d844b7dc01a0c07.exe
    Filesize

    6.9MB

    MD5

    76827e19ac4b6c300c8bc37754b321a9

    SHA1

    60f1144731e4e8e98d22a59df821256307c26364

    SHA256

    a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b

    SHA512

    beb2072de102d2d4d5925bd63925faa00828ad5e14f152d01544902e58293fb012991b6c614c3ff87c0928f4782b02f0302faff0f9fc0c672f4a9a1793bbc81b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1b310c37f05a6f303d844b7dc01a0c07.exe
    Filesize

    6.9MB

    MD5

    76827e19ac4b6c300c8bc37754b321a9

    SHA1

    60f1144731e4e8e98d22a59df821256307c26364

    SHA256

    a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b

    SHA512

    beb2072de102d2d4d5925bd63925faa00828ad5e14f152d01544902e58293fb012991b6c614c3ff87c0928f4782b02f0302faff0f9fc0c672f4a9a1793bbc81b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GuardMailRu.exe
    Filesize

    1.6MB

    MD5

    4e808bd83cc5ecf45163fc7942657a1a

    SHA1

    35cf5e55111a95a8d67f14d6efe80f46c240159a

    SHA256

    a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

    SHA512

    4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GuardMailRu.exe
    Filesize

    1.6MB

    MD5

    4e808bd83cc5ecf45163fc7942657a1a

    SHA1

    35cf5e55111a95a8d67f14d6efe80f46c240159a

    SHA256

    a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

    SHA512

    4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\b480a56c680cb6c11e0432fdb759915f1.exe
    Filesize

    3.8MB

    MD5

    e60a475bd1f3fd8ef26341406da4ddaa

    SHA1

    3478887290966bf94525dfed829746b39731e627

    SHA256

    859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

    SHA512

    424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\b480a56c680cb6c11e0432fdb759915f1.exe
    Filesize

    3.8MB

    MD5

    e60a475bd1f3fd8ef26341406da4ddaa

    SHA1

    3478887290966bf94525dfed829746b39731e627

    SHA256

    859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

    SHA512

    424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\b480a56c680cb6c11e0432fdb759915f2.exe
    Filesize

    3.8MB

    MD5

    e60a475bd1f3fd8ef26341406da4ddaa

    SHA1

    3478887290966bf94525dfed829746b39731e627

    SHA256

    859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

    SHA512

    424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\b480a56c680cb6c11e0432fdb759915f2.exe
    Filesize

    3.8MB

    MD5

    e60a475bd1f3fd8ef26341406da4ddaa

    SHA1

    3478887290966bf94525dfed829746b39731e627

    SHA256

    859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

    SHA512

    424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

    Download Submit

  • memory/1772-140-0x0000000000400000-0x0000000000AF8000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/1772-159-0x0000000000400000-0x0000000000AF8000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/4824-132-0x0000000000400000-0x0000000000AF8000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/4824-139-0x0000000000400000-0x0000000000AF8000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/4824-135-0x0000000000400000-0x0000000000AF8000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/4824-134-0x0000000000400000-0x0000000000AF8000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/4824-133-0x0000000000400000-0x0000000000AF8000-memory.dmp

    Filesize

    7.0MB

    Download