949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
Size

24KB
MD5

68db4e58a1412519804966ee0415cac5
SHA1

1d3a9d7ed7a3430cee033b8f4636dd5f91bb9665
SHA256

949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d
SHA512

950540265ce119e4bd1e53bd0acc1ac31f5c1d7f64d11e33ae2e0dbb0794237a047455ce51f00d84612694546199cce014785b989747a3bbb15ed5b91ca02c51
SSDEEP

192:0Fc454q+dI3tiju+mbVGbHPlMLs6GHEBJ3tiinI8+GD26CY:0Fc4+hdKijuZgbvyE4nLnI8JD2dY

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1696	attrib.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Dx = "c:\\stormliv.exe"	reg.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.dxcpm.com/?7_12/7/2022"	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1728	2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe	28
PID 2016 wrote to memory of 1728	2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe	28
PID 2016 wrote to memory of 1728	2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe	28
PID 2016 wrote to memory of 1728	2016	949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe	28
PID 1728 wrote to memory of 1696	1728	cmd.exe	30
PID 1728 wrote to memory of 1696	1728	cmd.exe	30
PID 1728 wrote to memory of 1696	1728	cmd.exe	30
PID 1728 wrote to memory of 1696	1728	cmd.exe	30
PID 1728 wrote to memory of 976	1728	cmd.exe	31
PID 1728 wrote to memory of 976	1728	cmd.exe	31
PID 1728 wrote to memory of 976	1728	cmd.exe	31
PID 1728 wrote to memory of 976	1728	cmd.exe	31

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1696	attrib.exe

C:\Users\Admin\AppData\Local\Temp\949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe
"C:\Users\Admin\AppData\Local\Temp\949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Dx.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h c:\stormliv.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1696
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v Dx /t REG_SZ /d c:\stormliv.exe /f
    3⤵
    - Adds Run key to start application
    PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dx.bat

Filesize
372B

MD5
141c0f637d56420e507c795b034219a0

SHA1
b37e7aa38627a3771b223387d6f56d2a6a4daee9

SHA256
8b5efa5f8d7f0e37a11933c32a2b3cc13d9e63afcb55ca5c2b97e1898c199b9f

SHA512
e1f61fadda86d6a655b4abab214fcaa98a9f613672ccd74a0dd8c8469a7ca5f549ff72f5da3c7697917caa28b47b278e211eb788af0e557f85ab915b34dc5cfa

Download Submit
C:\stormliv.exe

Filesize
24KB

MD5
68db4e58a1412519804966ee0415cac5

SHA1
1d3a9d7ed7a3430cee033b8f4636dd5f91bb9665

SHA256
949aa99c71cde3343dee5b99c5c1db4d57e766a362144380f89c69d5b095f15d

SHA512
950540265ce119e4bd1e53bd0acc1ac31f5c1d7f64d11e33ae2e0dbb0794237a047455ce51f00d84612694546199cce014785b989747a3bbb15ed5b91ca02c51

Download Submit
memory/2016-57-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download