Overview

overview

8

Static

static

9630f5d095...be.exe

windows7-x64

8

9630f5d095...be.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    153s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9630f5d095410d3690c89e89ff3e2655d225b624a03526c360eb86ff0bf9e7be.exe

  • Size

    2.0MB

  • MD5

    56f6bedfcacea1304880616015de2f44

  • SHA1

    e6a438e0d7bdf892077b3713067b22c9b1b7a54a

  • SHA256

    9630f5d095410d3690c89e89ff3e2655d225b624a03526c360eb86ff0bf9e7be

  • SHA512

    43b7b51608ef2ad2067a1e5f5b80cc34ba5e2e94f23d220044e7de906f09faaa203ddb26c0588a1f619528b05c263055f6031afd9a71186947a983b40c68e027

  • SSDEEP

    49152:x342puDySYNkM8k1yNMO9y4FYUJhTvRG+DvtJn:xUeSYmw4DQ4q6hTvtvD

Score
8/10
adwarestealer

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 11 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9630f5d095410d3690c89e89ff3e2655d225b624a03526c360eb86ff0bf9e7be.exe
    "C:\Users\Admin\AppData\Local\Temp\9630f5d095410d3690c89e89ff3e2655d225b624a03526c360eb86ff0bf9e7be.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Local\Temp\AES.exe
      "C:\Users\Admin\AppData\Local\Temp\AES.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer start page
      • Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Windows\SysWOW64\Regsvr32.exe
        Regsvr32.exe /s C:\PROGRA~1\fx678Toolbar\fx678Toolbar.dll
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies registry class
        PID:2564
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DelTemp.bat" "
        3⤵
          PID:408
      • C:\Users\Admin\AppData\Local\Temp\mailhome.exe
        "C:\Users\Admin\AppData\Local\Temp\mailhome.exe"
        2⤵
        • Executes dropped EXE
        PID:1304
      • C:\Users\Admin\AppData\Local\Temp\TheWorld_OEM_12.exe
        "C:\Users\Admin\AppData\Local\Temp\TheWorld_OEM_12.exe"
        2⤵
        • Executes dropped EXE
        PID:1992

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~1\fx678Toolbar\fx678Toolbar.dll
      Filesize

      574KB

      MD5

      91298a1a027146e8cfad28566654d1bb

      SHA1

      c7010be0d3b34153a4ad873d76faf63562ccdbb0

      SHA256

      b81c9e9a83f342aca00da1b80d890e6d8b27da021741e422b25ca3567786ccd2

      SHA512

      97da1ea3880c4dc59ceaf32b04bb7339739974928c94a3e511d8301dc78ee6dc5b56106988b0e32128527e186c5d0e19ac05454d592648c32b3232649c7cb6ac

      Download Submit

    • C:\Program Files\fx678Toolbar\fx678Toolbar.dll
      Filesize

      574KB

      MD5

      91298a1a027146e8cfad28566654d1bb

      SHA1

      c7010be0d3b34153a4ad873d76faf63562ccdbb0

      SHA256

      b81c9e9a83f342aca00da1b80d890e6d8b27da021741e422b25ca3567786ccd2

      SHA512

      97da1ea3880c4dc59ceaf32b04bb7339739974928c94a3e511d8301dc78ee6dc5b56106988b0e32128527e186c5d0e19ac05454d592648c32b3232649c7cb6ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AES.exe
      Filesize

      1008KB

      MD5

      fb48a7f3a1c90861c80604401a1fe151

      SHA1

      d15f7cd56ebeb773add8ce77610f1d9ad25b8edb

      SHA256

      ebd51b896bb6924001f8a30faac9b996ccb165ddbffd2169653b87f10ec037e1

      SHA512

      32fbb3aa7d024c579cd99160057ed6ac17c91ac5a3fecb7711333a8c18ff317297cb4be92832f064e1426ddf6c2c017f6b855fc4b11ef003be57d792f8f121d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AES.exe
      Filesize

      1008KB

      MD5

      fb48a7f3a1c90861c80604401a1fe151

      SHA1

      d15f7cd56ebeb773add8ce77610f1d9ad25b8edb

      SHA256

      ebd51b896bb6924001f8a30faac9b996ccb165ddbffd2169653b87f10ec037e1

      SHA512

      32fbb3aa7d024c579cd99160057ed6ac17c91ac5a3fecb7711333a8c18ff317297cb4be92832f064e1426ddf6c2c017f6b855fc4b11ef003be57d792f8f121d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DelTemp.bat
      Filesize

      65B

      MD5

      cd4a14da8aadd46d2ed6cbabdbf0f876

      SHA1

      bb30a908c447b7b2bd37938ef5d8440d21ea3011

      SHA256

      0a11d46579f7edae3ee4e4c66d08a6dff6cdd9382ad2ef51ebfc3bc2d5a9c530

      SHA512

      bca37da6b66cd2930a671e361058539ef19ed04c169a495d3e90ad5cb855fdb650e79bd72d30159e775ee1eec1638c4d8e5678f99b57819ab631f9d61822f420

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TheWorld_OEM_12.exe
      Filesize

      759KB

      MD5

      748f7baa7a435dc70986cfbff0a61d9e

      SHA1

      d7a2196fdb08a89dd275f99e8d009fa3ccf15315

      SHA256

      495dbdf0cb4a8f214bee7cd5c1c8b65a870ab2bc3707569e7cf310f1d5684dc2

      SHA512

      4c0b0f6f3548376b2955f824d1f44dbf2863aa04096b4ea7199bdc9d4acb6c59ceceb0bf4c6fd33469b3a1c828739fd02cf74f0f393256c7ab57477b5bd560a7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TheWorld_OEM_12.exe
      Filesize

      759KB

      MD5

      748f7baa7a435dc70986cfbff0a61d9e

      SHA1

      d7a2196fdb08a89dd275f99e8d009fa3ccf15315

      SHA256

      495dbdf0cb4a8f214bee7cd5c1c8b65a870ab2bc3707569e7cf310f1d5684dc2

      SHA512

      4c0b0f6f3548376b2955f824d1f44dbf2863aa04096b4ea7199bdc9d4acb6c59ceceb0bf4c6fd33469b3a1c828739fd02cf74f0f393256c7ab57477b5bd560a7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mailhome.exe
      Filesize

      765KB

      MD5

      7e30246aa6e39ad06fcd471f65cbd9e0

      SHA1

      6de1516336b44330aac3b1d14be39dd9e5673d77

      SHA256

      c9e9cf6a9f02b8f3dd2f7989e1bcd3c960df192319a775e03cb7f0cd4d267b77

      SHA512

      5c3d2c89bc5178789b8f3e556f7e950076329033e103ce96b9858c425651628ad83dbb672ad26aeb99e5e2a2b492b6f8b9b49afe52240e076f2e13b0c5de203a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mailhome.exe
      Filesize

      765KB

      MD5

      7e30246aa6e39ad06fcd471f65cbd9e0

      SHA1

      6de1516336b44330aac3b1d14be39dd9e5673d77

      SHA256

      c9e9cf6a9f02b8f3dd2f7989e1bcd3c960df192319a775e03cb7f0cd4d267b77

      SHA512

      5c3d2c89bc5178789b8f3e556f7e950076329033e103ce96b9858c425651628ad83dbb672ad26aeb99e5e2a2b492b6f8b9b49afe52240e076f2e13b0c5de203a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsvBC70.tmp\System.dll
      Filesize

      9KB

      MD5

      afd989ef7eec6bf952bedfce541fe236

      SHA1

      5654b71c5b1089c2cec6381d8da5bd14a14e1a37

      SHA256

      5e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8

      SHA512

      f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsvBC70.tmp\System.dll
      Filesize

      9KB

      MD5

      afd989ef7eec6bf952bedfce541fe236

      SHA1

      5654b71c5b1089c2cec6381d8da5bd14a14e1a37

      SHA256

      5e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8

      SHA512

      f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c

      Download Submit

    • memory/408-146-0x0000000000000000-mapping.dmp

      Download

    • memory/1304-136-0x0000000000000000-mapping.dmp

      Download

    • memory/1992-139-0x0000000000000000-mapping.dmp

      Download

    • memory/2564-143-0x0000000000000000-mapping.dmp

      Download

    • memory/4388-133-0x0000000000000000-mapping.dmp

      Download