Overview

overview

8

Static

static

1

6ddc84f9ff...5d.exe

windows7-x64

8

6ddc84f9ff...5d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    277s
  • max time network
    399s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 17:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6ddc84f9ff0ca8d5142c0949416c4ee950d88ee76081412914a396b7b6d09b5d.exe

  • Size

    4.0MB

  • MD5

    28323053f2d8e1210c54a2299887822d

  • SHA1

    5866a328e6dd8b1dfac20c025b0e650e7fa7feaa

  • SHA256

    6ddc84f9ff0ca8d5142c0949416c4ee950d88ee76081412914a396b7b6d09b5d

  • SHA512

    7845c3c58b03079b87f97c66c7b9d1f8a5e03ceb2b08e2d94e7f9f5d9f3a45d642bb09eb1968b90b8317bdf460c735c5d2e1e3c43978f878aa97391b5fea7966

  • SSDEEP

    49152:7quiZsE10eob8fb4+QkaoDl5Yn84xUBRLf+jUv98aGVd7CP8iAHDef6AQfH1XRVH:7quekb9pal5YnVxqrvLuhCPFOeyzHBX

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 9 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 12 IoCs
    installer
  • Modifies Internet Explorer Protected Mode 1 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies registry class 17 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ddc84f9ff0ca8d5142c0949416c4ee950d88ee76081412914a396b7b6d09b5d.exe
    "C:\Users\Admin\AppData\Local\Temp\6ddc84f9ff0ca8d5142c0949416c4ee950d88ee76081412914a396b7b6d09b5d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:300
    • C:\Users\Admin\AppData\Local\Temp\tlntsvrs.exe
      "C:\Users\Admin\AppData\Local\Temp\tlntsvrs.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:1844
    • C:\Users\Admin\AppData\Local\Temp\locatr.exe
      "C:\Users\Admin\AppData\Local\Temp\locatr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\yetwqrmnwlovo.dll"
        3⤵
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Maps connected drives based on registry
        • Modifies registry class
        PID:1704
    • C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:1100
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1516 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1972

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\locatr.exe
          Filesize

          447KB

          MD5

          298fe82c81d383b33d076541677f9288

          SHA1

          23ae44b912411cc6ac6c3b367b8e332fc61e51cd

          SHA256

          eec154ec4752c943d5ebecc46e1d0f6841a8d3a6c54cb79771e2513164d83923

          SHA512

          384241004f19b6e0afcdee3c1f098bd97472a8ccb15ac43fd969ceb8e7fba0f8a73aefe1baabce7c4fbf7fc86e052a7e328a109c69f41b1766e9873faf9237ed

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\locatr.exe
          Filesize

          447KB

          MD5

          298fe82c81d383b33d076541677f9288

          SHA1

          23ae44b912411cc6ac6c3b367b8e332fc61e51cd

          SHA256

          eec154ec4752c943d5ebecc46e1d0f6841a8d3a6c54cb79771e2513164d83923

          SHA512

          384241004f19b6e0afcdee3c1f098bd97472a8ccb15ac43fd969ceb8e7fba0f8a73aefe1baabce7c4fbf7fc86e052a7e328a109c69f41b1766e9873faf9237ed

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\setup.exe
          Filesize

          1.2MB

          MD5

          d621b8ecbba354bb2b2482f16deed44c

          SHA1

          2e68951701910423be491efe361b72e9b06d8a92

          SHA256

          0cb5b5e2ba40e66f6aff6b6338c26ff6cf27a1be81918abb83cf483433afbdfa

          SHA512

          7e16e7cc42a0ea891e49ec0064328aec3f43b868e01b337dd303d037e7c2e4f04f145c325f06c90a0cf91b5bef42f09651b3bd4b12c8f6c4953ca28f5c32995c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\setup.exe
          Filesize

          1.2MB

          MD5

          d621b8ecbba354bb2b2482f16deed44c

          SHA1

          2e68951701910423be491efe361b72e9b06d8a92

          SHA256

          0cb5b5e2ba40e66f6aff6b6338c26ff6cf27a1be81918abb83cf483433afbdfa

          SHA512

          7e16e7cc42a0ea891e49ec0064328aec3f43b868e01b337dd303d037e7c2e4f04f145c325f06c90a0cf91b5bef42f09651b3bd4b12c8f6c4953ca28f5c32995c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tlntsvrs.exe
          Filesize

          2.3MB

          MD5

          77ad929b9bcc55a53cdbd11742b011da

          SHA1

          aecf6a064d5925b7712ed914f4a6b1d9d5784ce3

          SHA256

          4856fcdf8ac3ff20fcf1b9007f7485a24c8760bb47de55a4c3d8c6137404602f

          SHA512

          68adc517c6ffabfe1d98fb19a40937c64bbe1e41c8a8c5d12671a47f58879c7347797821e72175ed5bc04714461b6353dfb7f058fdd3dbfc30178779e9677721

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tlntsvrs.exe
          Filesize

          2.3MB

          MD5

          77ad929b9bcc55a53cdbd11742b011da

          SHA1

          aecf6a064d5925b7712ed914f4a6b1d9d5784ce3

          SHA256

          4856fcdf8ac3ff20fcf1b9007f7485a24c8760bb47de55a4c3d8c6137404602f

          SHA512

          68adc517c6ffabfe1d98fb19a40937c64bbe1e41c8a8c5d12671a47f58879c7347797821e72175ed5bc04714461b6353dfb7f058fdd3dbfc30178779e9677721

          Download Submit

        • C:\Windows\SysWOW64\yetwqrmnwlovo.dll
          Filesize

          811KB

          MD5

          597f447d5ac26a0d8a779656782c77bd

          SHA1

          3530b32d1a1a1fad60259ca719b781d3661af9c4

          SHA256

          8db5d4800a661039c337f6b4f3c90b067dc00bc3f5cc5c3377e977e2af3a091a

          SHA512

          4b5fb2b83d8960467d0d8984ab3d20681d2149c47287af2a0cb2e3e9d88d0e03a07d25fc9e0c1067ada1bd324be21096e55948ecd40bb70482285cd43353b6fa

          Download Submit

        • \Users\Admin\AppData\Local\Temp\GLCA890.tmp
          Filesize

          161KB

          MD5

          8c97d8bb1470c6498e47b12c5a03ce39

          SHA1

          15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

          SHA256

          a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

          SHA512

          7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

          Download Submit

        • \Users\Admin\AppData\Local\Temp\GLKAC78.tmp
          Filesize

          33KB

          MD5

          517419cae37f6c78c80f9b7d0fbb8661

          SHA1

          a9e419f3d9ef589522556e0920c84fe37a548873

          SHA256

          bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

          SHA512

          5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

          Download Submit

        • \Users\Admin\AppData\Local\Temp\locatr.exe
          Filesize

          447KB

          MD5

          298fe82c81d383b33d076541677f9288

          SHA1

          23ae44b912411cc6ac6c3b367b8e332fc61e51cd

          SHA256

          eec154ec4752c943d5ebecc46e1d0f6841a8d3a6c54cb79771e2513164d83923

          SHA512

          384241004f19b6e0afcdee3c1f098bd97472a8ccb15ac43fd969ceb8e7fba0f8a73aefe1baabce7c4fbf7fc86e052a7e328a109c69f41b1766e9873faf9237ed

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsvA3D1.tmp\System.dll
          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsvA46D.tmp\Math.dll
          Filesize

          66KB

          MD5

          b140459077c7c39be4bef249c2f84535

          SHA1

          c56498241c2ddafb01961596da16d08d1b11cd35

          SHA256

          0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

          SHA512

          fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsvA46D.tmp\System.dll
          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsvA46D.tmp\UAC.dll
          Filesize

          17KB

          MD5

          88ad3fd90fc52ac3ee0441a38400a384

          SHA1

          08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

          SHA256

          e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

          SHA512

          359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsvA46D.tmp\UAC.dll
          Filesize

          17KB

          MD5

          88ad3fd90fc52ac3ee0441a38400a384

          SHA1

          08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

          SHA256

          e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

          SHA512

          359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsvA46D.tmp\UAC.dll
          Filesize

          17KB

          MD5

          88ad3fd90fc52ac3ee0441a38400a384

          SHA1

          08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

          SHA256

          e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

          SHA512

          359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsvB002.tmp.dll
          Filesize

          811KB

          MD5

          597f447d5ac26a0d8a779656782c77bd

          SHA1

          3530b32d1a1a1fad60259ca719b781d3661af9c4

          SHA256

          8db5d4800a661039c337f6b4f3c90b067dc00bc3f5cc5c3377e977e2af3a091a

          SHA512

          4b5fb2b83d8960467d0d8984ab3d20681d2149c47287af2a0cb2e3e9d88d0e03a07d25fc9e0c1067ada1bd324be21096e55948ecd40bb70482285cd43353b6fa

          Download Submit

        • \Users\Admin\AppData\Local\Temp\setup.exe
          Filesize

          1.2MB

          MD5

          d621b8ecbba354bb2b2482f16deed44c

          SHA1

          2e68951701910423be491efe361b72e9b06d8a92

          SHA256

          0cb5b5e2ba40e66f6aff6b6338c26ff6cf27a1be81918abb83cf483433afbdfa

          SHA512

          7e16e7cc42a0ea891e49ec0064328aec3f43b868e01b337dd303d037e7c2e4f04f145c325f06c90a0cf91b5bef42f09651b3bd4b12c8f6c4953ca28f5c32995c

          Download Submit

        • \Users\Admin\AppData\Local\Temp\setup.exe
          Filesize

          1.2MB

          MD5

          d621b8ecbba354bb2b2482f16deed44c

          SHA1

          2e68951701910423be491efe361b72e9b06d8a92

          SHA256

          0cb5b5e2ba40e66f6aff6b6338c26ff6cf27a1be81918abb83cf483433afbdfa

          SHA512

          7e16e7cc42a0ea891e49ec0064328aec3f43b868e01b337dd303d037e7c2e4f04f145c325f06c90a0cf91b5bef42f09651b3bd4b12c8f6c4953ca28f5c32995c

          Download Submit

        • \Users\Admin\AppData\Local\Temp\setup.exe
          Filesize

          1.2MB

          MD5

          d621b8ecbba354bb2b2482f16deed44c

          SHA1

          2e68951701910423be491efe361b72e9b06d8a92

          SHA256

          0cb5b5e2ba40e66f6aff6b6338c26ff6cf27a1be81918abb83cf483433afbdfa

          SHA512

          7e16e7cc42a0ea891e49ec0064328aec3f43b868e01b337dd303d037e7c2e4f04f145c325f06c90a0cf91b5bef42f09651b3bd4b12c8f6c4953ca28f5c32995c

          Download Submit

        • \Users\Admin\AppData\Local\Temp\setup.exe
          Filesize

          1.2MB

          MD5

          d621b8ecbba354bb2b2482f16deed44c

          SHA1

          2e68951701910423be491efe361b72e9b06d8a92

          SHA256

          0cb5b5e2ba40e66f6aff6b6338c26ff6cf27a1be81918abb83cf483433afbdfa

          SHA512

          7e16e7cc42a0ea891e49ec0064328aec3f43b868e01b337dd303d037e7c2e4f04f145c325f06c90a0cf91b5bef42f09651b3bd4b12c8f6c4953ca28f5c32995c

          Download Submit

        • \Users\Admin\AppData\Local\Temp\tlntsvrs.exe
          Filesize

          2.3MB

          MD5

          77ad929b9bcc55a53cdbd11742b011da

          SHA1

          aecf6a064d5925b7712ed914f4a6b1d9d5784ce3

          SHA256

          4856fcdf8ac3ff20fcf1b9007f7485a24c8760bb47de55a4c3d8c6137404602f

          SHA512

          68adc517c6ffabfe1d98fb19a40937c64bbe1e41c8a8c5d12671a47f58879c7347797821e72175ed5bc04714461b6353dfb7f058fdd3dbfc30178779e9677721

          Download Submit

        • \Windows\SysWOW64\f83e0225.dll
          Filesize

          2.7MB

          MD5

          d89021f7b780c263497a11b0006ea052

          SHA1

          a52c7f225eb84d0bee5b668fefb0cf2da5a267a5

          SHA256

          987c1ce53882b0bb778535290930afded0371c3ba83e31bc327265c0fb6b0234

          SHA512

          7b60d3c7c4003e19c31607c2926aa0a7601e58a2731c0047057d5af24bc43ba66f6d2bf6c50b9c73b53905a05ab29ca85b790cfe9ef3cda7324322b8c732c8c4

          Download Submit

        • memory/300-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1704-89-0x0000000001EB0000-0x0000000001F81000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1844-71-0x00000000003E0000-0x00000000003FA000-memory.dmp

          Filesize

          104KB

          Download