Overview

overview

8

Static

static

8dbef2147b...7a.exe

windows7-x64

8

8dbef2147b...7a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    157s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 06:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8dbef2147bd4a0b6725f2e8eb1ae6e18a411fcda13f69dbfdf6c547e1527437a.exe

  • Size

    37KB

  • MD5

    6b1a9eae04c6c02c7fff562c78ae6c5b

  • SHA1

    b011396c18a10af503b3ed32d55bde56f6b22d48

  • SHA256

    8dbef2147bd4a0b6725f2e8eb1ae6e18a411fcda13f69dbfdf6c547e1527437a

  • SHA512

    dacf726f1df2ad4cabe1e2c4e4e367c95958720f44221e91f7c95d52980166f7906fa206d1800eb3d49969e92579f0e15f577d029c4a1b2ff5d205793db52f63

  • SSDEEP

    768:Lwbeq7oIASBVNL26y/07hC8kF/R0Be7UiU6DFnEXGnygJxrVAdbCCl3E:IeUrA2Vw6z7hpXBcTUWnAdbCCl

Score
8/10
adwarepersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8dbef2147bd4a0b6725f2e8eb1ae6e18a411fcda13f69dbfdf6c547e1527437a.exe
    "C:\Users\Admin\AppData\Local\Temp\8dbef2147bd4a0b6725f2e8eb1ae6e18a411fcda13f69dbfdf6c547e1527437a.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\svhostn.exe
      C:\Windows\svhostn.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      PID:4552
    • C:\Users\Admin\AppData\Local\Temp\240589046.exe
      C:\Users\Admin\AppData\Local\Temp\240589046.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\SysWOW64\mpcsvc.exe
        C:\Windows\system32\mpcsvc.exe
        3⤵
        • Executes dropped EXE
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        PID:4588
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p6hhr.bat" "C:\Users\Admin\AppData\Local\Temp\240589046.exe""
        3⤵
          PID:3180
      • C:\Windows\SysWOW64\Regsvr32.exe
        Regsvr32.exe /s bensorty03.dll
        2⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies registry class
        PID:4376
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p2hhr.bat" "C:\Users\Admin\AppData\Local\Temp\8dbef2147bd4a0b6725f2e8eb1ae6e18a411fcda13f69dbfdf6c547e1527437a.exe""
        2⤵
          PID:2760

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\240589046.exe
        Filesize

        19KB

        MD5

        a1f1494ecb2e9c66c408f9b34b4c90a0

        SHA1

        b2ec1e22421552ee8f6593f6400000a9e7162565

        SHA256

        93c392451641d4f5437ca86f8990fe5844f1da2e45eb9bb137d4a3e46e4ba972

        SHA512

        943038e259554c6b9f90647a5f9a2148cf929fae56982bef81181cf9ae1df3e894e1693ff8d093e70cee22e5f07e85f062d631c83860efb982efb7da5448dd3b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\240589046.exe
        Filesize

        19KB

        MD5

        a1f1494ecb2e9c66c408f9b34b4c90a0

        SHA1

        b2ec1e22421552ee8f6593f6400000a9e7162565

        SHA256

        93c392451641d4f5437ca86f8990fe5844f1da2e45eb9bb137d4a3e46e4ba972

        SHA512

        943038e259554c6b9f90647a5f9a2148cf929fae56982bef81181cf9ae1df3e894e1693ff8d093e70cee22e5f07e85f062d631c83860efb982efb7da5448dd3b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\p2hhr.bat
        Filesize

        44B

        MD5

        76d2c58bc389bc1cc18aed4ff486a1a2

        SHA1

        421c4d20655a1270415e550fa9cc8831576abbf6

        SHA256

        e8efa9da7c7006640c2f883bec45cc3013dda102fb4ae74dbd45b676c77820bf

        SHA512

        241642d717fbf37c3f0970921f37246c5484a3763cde23dfe0e830ed26bb9347253b68e659a70e7e6017c883024c0ef678023f0b927438d1bda16f89f40d412e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\p6hhr.bat
        Filesize

        44B

        MD5

        400fba0cf5e5d608058f93959929b6d3

        SHA1

        162a0d2af9d2d836bba00e9015a29dd2914cd269

        SHA256

        be4a38adde88d522653b423794809d54e9af0abe7decafa0501cd4cc3a073925

        SHA512

        350658631444b12db85ed4687f92eb2cc388257dcc731f84fad1077769adc493f2450075f669ed2c066778a1c1ed459de74db204b903702eceb3e1baa0e816c2

        Download Submit

      • C:\Windows\SysWOW64\bensorty03.dll
        Filesize

        9KB

        MD5

        2ed02f2051738b56c2cb04025d3db308

        SHA1

        b5b9f45427396628703bc5133e2eeb4eb7294701

        SHA256

        fc163de9bcc68c140789c3365e34550186c5c65181194a8bf0d5b7179f867836

        SHA512

        b0605ad756d7dc651155e7d857f05aa43b4e26ea4b4ffb6eaeac90eaf3eefa03e90df9cfa06c824e74a0cf469e92291da72b714448dca7a376f2f856f2d0fbe9

        Download Submit

      • C:\Windows\SysWOW64\bensorty03.dll
        Filesize

        9KB

        MD5

        2ed02f2051738b56c2cb04025d3db308

        SHA1

        b5b9f45427396628703bc5133e2eeb4eb7294701

        SHA256

        fc163de9bcc68c140789c3365e34550186c5c65181194a8bf0d5b7179f867836

        SHA512

        b0605ad756d7dc651155e7d857f05aa43b4e26ea4b4ffb6eaeac90eaf3eefa03e90df9cfa06c824e74a0cf469e92291da72b714448dca7a376f2f856f2d0fbe9

        Download Submit

      • C:\Windows\SysWOW64\mpcsvc.exe
        Filesize

        19KB

        MD5

        4678168e062bf2f83895f43e827bed89

        SHA1

        e06581512a56eaedc21fc9b39c16238aea9ac1f2

        SHA256

        e0e04a27732edb582154508526f3c0f53890c36f73d66b4dc6643d7ea894d40f

        SHA512

        f89e5b0170bb2d41f0391c6ea2b0290b2f1129e98a81fc72140c77130b74269990bc04c21c52727aa78cc1c81cea64ec8989a66a2cc0ce0ef7285636f8188c05

        Download Submit

      • C:\Windows\SysWOW64\mpcsvc.exe
        Filesize

        19KB

        MD5

        4678168e062bf2f83895f43e827bed89

        SHA1

        e06581512a56eaedc21fc9b39c16238aea9ac1f2

        SHA256

        e0e04a27732edb582154508526f3c0f53890c36f73d66b4dc6643d7ea894d40f

        SHA512

        f89e5b0170bb2d41f0391c6ea2b0290b2f1129e98a81fc72140c77130b74269990bc04c21c52727aa78cc1c81cea64ec8989a66a2cc0ce0ef7285636f8188c05

        Download Submit

      • C:\Windows\svhostn.exe
        Filesize

        14KB

        MD5

        1a6fe2645568d72a1c499633bea81853

        SHA1

        112788c22d1492de79edbeca2401cbbef97f9a29

        SHA256

        9dd2fcc8b6fdac753f8926e3ca4f3a234be730d2d791c80e99e590cc3f79bdd1

        SHA512

        d66bb0b2d80d05984aeeec367b7dd7f605df3e2d64c8da542df3087e98b05a08e9b27114ace793ae3a34c6d4cb00e3482c4678db0f84e79ead0af0193dc723b8

        Download Submit

      • C:\Windows\svhostn.exe
        Filesize

        14KB

        MD5

        1a6fe2645568d72a1c499633bea81853

        SHA1

        112788c22d1492de79edbeca2401cbbef97f9a29

        SHA256

        9dd2fcc8b6fdac753f8926e3ca4f3a234be730d2d791c80e99e590cc3f79bdd1

        SHA512

        d66bb0b2d80d05984aeeec367b7dd7f605df3e2d64c8da542df3087e98b05a08e9b27114ace793ae3a34c6d4cb00e3482c4678db0f84e79ead0af0193dc723b8

        Download Submit

      • memory/1060-152-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1060-135-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3096-149-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3096-140-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4552-136-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4588-144-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/4588-154-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

        Download