52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98.exe
Size

35KB
MD5

f8e26ec38890853a8fa895e278ab9ee4
SHA1

8dbccea7d283fbb3d165f0a03b7740bf58d8a528
SHA256

52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98
SHA512

6502924a8cf1042c2652d4ad3456cce05b315a805142d6556f35744e5c12eaf593dd9e7d935eb279e28cf0bc25c2dce0c8304eccb3afa07e1cec34f2eff13384
SSDEEP

768:/Jbptgn/VDe5vC55/ZpKYf9nHaaqqzJauZfqb:/Vp6ndx7df9nHaaqqVPRqb

Score

10^/10

adware evasion stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1528-56-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1528-57-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1528-59-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\NoExplorer = "1"	52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\iefxaddon.dll	52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98.exe
File opened for modification	C:\WINDOWS\SysWOW64\iefxaddon.dll	52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1528	52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98.exe

C:\Users\Admin\AppData\Local\Temp\52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98.exe
"C:\Users\Admin\AppData\Local\Temp\52b9db3498dc7feef99642f90e4803520b9536e56a32e8873dc08dc4d01a0d98.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1528-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1528-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1528-58-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1528-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads