Overview

overview

8

Static

static

a427a5b090...f0.exe

windows7-x64

8

a427a5b090...f0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    300s
  • max time network
    365s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a427a5b090ac92a64e65b83ab3bb3449d976b85837d37225cca6db88c3ea04f0.exe

  • Size

    128KB

  • MD5

    f274830467ae5097bed240d2df72e22a

  • SHA1

    971d5d77d904c0518695b24d8a71c7c3aee4e371

  • SHA256

    a427a5b090ac92a64e65b83ab3bb3449d976b85837d37225cca6db88c3ea04f0

  • SHA512

    4d945af708b65507c2ee5421852a1bc67c7da5edd21f6f18a59b747802d329c3bf2b11329d485b769db40beebe45b273fc50e1da817feb40be0dff9387840cc2

  • SSDEEP

    3072:4ATMTCJpo5HmyjTbwkwd46PLV8WQ+fb7FSw2+:fTMTCJpo5HmyjTSdHz7jT

Score
8/10
adwarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 46 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a427a5b090ac92a64e65b83ab3bb3449d976b85837d37225cca6db88c3ea04f0.exe
    "C:\Users\Admin\AppData\Local\Temp\a427a5b090ac92a64e65b83ab3bb3449d976b85837d37225cca6db88c3ea04f0.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Program Files (x86)\snss.exe
      "C:\Program Files (x86)\snss.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      PID:2732
    • C:\Windows\SysWOW64\Regsvr32.exe
      Regsvr32.exe /s "C:\Windows\system32\Thunder.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:932

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\snss.exe
    Filesize

    40KB

    MD5

    f5ef30ebebab471bd64770671030a405

    SHA1

    ccdb7fd7e2c2a3c7438a0e19c4b2979ba5b20c1b

    SHA256

    fdff92507a77f2a85c716c11e0f17bf182fcab72d6e0d908669d86fa394fcdbe

    SHA512

    e74d3d06090bfeab6201d1b4ceceac09f25f2b81a0c4976fa0b6f83170307326a358ffccaabb3d83a5168253c2d8cea1b65c227c0c357fed4687f5b469482be9

    Download Submit

  • C:\Program Files (x86)\snss.exe
    Filesize

    40KB

    MD5

    f5ef30ebebab471bd64770671030a405

    SHA1

    ccdb7fd7e2c2a3c7438a0e19c4b2979ba5b20c1b

    SHA256

    fdff92507a77f2a85c716c11e0f17bf182fcab72d6e0d908669d86fa394fcdbe

    SHA512

    e74d3d06090bfeab6201d1b4ceceac09f25f2b81a0c4976fa0b6f83170307326a358ffccaabb3d83a5168253c2d8cea1b65c227c0c357fed4687f5b469482be9

    Download Submit

  • C:\Windows\SysWOW64\Thunder.dll
    Filesize

    32KB

    MD5

    6723e0bc4cabd932678be8c816d6e37b

    SHA1

    b8912738bb375e9920653d0485caa678a81bbfdb

    SHA256

    7b1d085aadeb19b8e5b3cf62c3f7bcc07a46ad1cf6565590ee21d0dab6fabca5

    SHA512

    62b9c721a7772c78e28d7c3f89ef0e6c6b204c8aadea1f40c1a42caa648c6c21e9b5cda59c8637679072d635f6059dc5d2395f7f7bd79275ca89d9d1fb7ff919

    Download Submit

  • C:\Windows\SysWOW64\Thunder.dll
    Filesize

    32KB

    MD5

    6723e0bc4cabd932678be8c816d6e37b

    SHA1

    b8912738bb375e9920653d0485caa678a81bbfdb

    SHA256

    7b1d085aadeb19b8e5b3cf62c3f7bcc07a46ad1cf6565590ee21d0dab6fabca5

    SHA512

    62b9c721a7772c78e28d7c3f89ef0e6c6b204c8aadea1f40c1a42caa648c6c21e9b5cda59c8637679072d635f6059dc5d2395f7f7bd79275ca89d9d1fb7ff919

    Download Submit

  • C:\Windows\SysWOW64\sysini.ini
    Filesize

    194B

    MD5

    052699883a935af2306c27b5ee1d8032

    SHA1

    858fef657ad2d36993a95cfae1c9f614f6a1f4fb

    SHA256

    fb58ece4399022ab347035ee4f86c6dc871297486b402d63e4f9d4ed43a0c6cb

    SHA512

    39f57f1f0b6d06a19952bfdb0c37b48cfdd9179d46cc37993a8e7d3173604cbfb6857139298a98e831b2b1fec8a241f37f3ba5b142d3a72188be4bac637da5c8

    Download Submit