Overview

overview

7

Static

static

1

c08829d453...b9.exe

windows7-x64

7

c08829d453...b9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 05:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c08829d453e55483dec0e85c750200da984bf678562d144f7014041c43b15eb9.exe

  • Size

    132KB

  • MD5

    3f9d4275b81d0784575d59943b9346d1

  • SHA1

    04a47b3c144a86eb6c89d121d7e2712df632c3f1

  • SHA256

    c08829d453e55483dec0e85c750200da984bf678562d144f7014041c43b15eb9

  • SHA512

    3318171cad9022c5e7c7124df9df849bbc7ce268afcc491f4e9b78b4bb1e8b2e8d979afc81ae9330fbd10a722d5f83495060a1d03fb240f0c032f1021f13d75e

  • SSDEEP

    3072:vpBCRdma8JVU4je3+/xdzMLCBuTmJwR9VaQs5dEEnyAS4:xBw7keIBl6ns5dEmys

Score
7/10
adwarediscoverypersistencestealer

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c08829d453e55483dec0e85c750200da984bf678562d144f7014041c43b15eb9.exe
    "C:\Users\Admin\AppData\Local\Temp\c08829d453e55483dec0e85c750200da984bf678562d144f7014041c43b15eb9.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\system32\nvms.dll
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:1568

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\nvms.dll
    Filesize

    80KB

    MD5

    f4eaa09d78b46f943f8b093606866301

    SHA1

    87a1a3cbf775501f4285d949c42a3b8b52fa79af

    SHA256

    2e37739c20b29bae5f558a8f5463f7aec6090a97cb5adca6e8b6fb50ba7559de

    SHA512

    7b1720684348dee4b4f3549d8dbbc2272c9cc2f364b26085401c4c861d52f3a820aa99aa2dabd99be1df38797ff2360093ea6fb03e0a62f7821b1416e2f3eb4f

    Download Submit

  • \Windows\SysWOW64\nvms.dll
    Filesize

    80KB

    MD5

    f4eaa09d78b46f943f8b093606866301

    SHA1

    87a1a3cbf775501f4285d949c42a3b8b52fa79af

    SHA256

    2e37739c20b29bae5f558a8f5463f7aec6090a97cb5adca6e8b6fb50ba7559de

    SHA512

    7b1720684348dee4b4f3549d8dbbc2272c9cc2f364b26085401c4c861d52f3a820aa99aa2dabd99be1df38797ff2360093ea6fb03e0a62f7821b1416e2f3eb4f

    Download Submit

  • \Windows\SysWOW64\nvms.dll
    Filesize

    80KB

    MD5

    f4eaa09d78b46f943f8b093606866301

    SHA1

    87a1a3cbf775501f4285d949c42a3b8b52fa79af

    SHA256

    2e37739c20b29bae5f558a8f5463f7aec6090a97cb5adca6e8b6fb50ba7559de

    SHA512

    7b1720684348dee4b4f3549d8dbbc2272c9cc2f364b26085401c4c861d52f3a820aa99aa2dabd99be1df38797ff2360093ea6fb03e0a62f7821b1416e2f3eb4f

    Download Submit

  • \Windows\SysWOW64\nvms.dll
    Filesize

    80KB

    MD5

    f4eaa09d78b46f943f8b093606866301

    SHA1

    87a1a3cbf775501f4285d949c42a3b8b52fa79af

    SHA256

    2e37739c20b29bae5f558a8f5463f7aec6090a97cb5adca6e8b6fb50ba7559de

    SHA512

    7b1720684348dee4b4f3549d8dbbc2272c9cc2f364b26085401c4c861d52f3a820aa99aa2dabd99be1df38797ff2360093ea6fb03e0a62f7821b1416e2f3eb4f

    Download Submit

  • memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1956-55-0x0000000073FE1000-0x0000000073FE3000-memory.dmp

    Filesize

    8KB

    Download