Overview

overview

8

Static

static

1

URLScan

urlscan

1

http://mediafire.com...

windows10-2004-x64

8

Resubmissions

17-03-2023 14:30

230317-rvffgaaf6w 6

17-03-2023 14:19

230317-rm6mpagf59 8

Analysis

  • max time kernel
    116s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-03-2023 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://mediafire.com/file/bu394h0oi025wpt/ExtremeUpdate.exe/file

Score
8/10
spywarestealer

Malware Config

Signatures

  • Downloads MZ/PE file
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 57 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 46 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://mediafire.com/file/bu394h0oi025wpt/ExtremeUpdate.exe/file
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:396 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3912
    • C:\Users\Admin\Downloads\ExtremeUpdate.exe
      "C:\Users\Admin\Downloads\ExtremeUpdate.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3136
        • C:\Windows\system32\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4848
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\system32\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4028
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\EFLF17WS\www.mediafire[1].xml
    Filesize

    246B

    MD5

    dd2d13eec3c8654665eb073ae86d6714

    SHA1

    c7827e1b9f445cc2ab3c089eaf8778e781d048a1

    SHA256

    b3b1bc6df7fdc949163173405c0985001366b06e892f76e783ae91b068b8c146

    SHA512

    994c77615a8dc04f724f0cc42a670d9dc23d84fdae8b4dc24a6f8eb39a1d68e0b27ccc0179a3ec221ed914190ebbe0eabfcd05b163654427eee0d2dc1f344404

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pkg-E65qVO\4cd6abf3919c6dd5430a2b0625446c8272df45e65651b9971ed4fc96b6996c5b
    Filesize

    140KB

    MD5

    de39b8c26c7799c4ad7b8268497095a2

    SHA1

    ce119ea75a986bcaf498ac3e3cde11ff2e986dd4

    SHA256

    b887c3ab5c38b7fc096cce3d0d6dfbf4904058e9b6b6ec03853682850901ee26

    SHA512

    6be50bbb6c38c2421956733134280cde08244deb33776fa58309f1efdaa74896847cec0aabb46247a9e6bda4e618b72e36e39d3e4dad29e3c711eeaf03aaf586

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pkg-E65qVO\a622186e38b66d18219aaffbb459e08a7cfe8ec80cbbbbbc491f0a24c295562c
    Filesize

    3KB

    MD5

    b7b06e9aa9ac48b7eb372c66ac2d5237

    SHA1

    315d85bbfdc6817b8d9ee379e6ed8b35734fb2b8

    SHA256

    a622186e38b66d18219aaffbb459e08a7cfe8ec80cbbbbbc491f0a24c295562c

    SHA512

    4d3a00c40cff4fe9ccc2823e653767ce50155997274110d8acc79c639631954ca3f7bd02a443fab515686dc356c6b2b246182c6f57faf1a22de651e1071c37d8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pkg-E65qVO\a8cef9400cc297218307c008d8aaa152edf41557a3e4a59916d22a8d22fd70a0
    Filesize

    1.5MB

    MD5

    202e29d19fa31324f12660c254edec28

    SHA1

    19788f750907bc57aea7d9b5d6348bb12220831d

    SHA256

    7984956807220d7b77abb773762539ce0e682514fdb6c7ca220bee203705df32

    SHA512

    f0eeca2a33dc72410e2654d0549b7c619984cf180e158013a899b8174f4340ab62bd6fef6e2369ef7ddc2e2e0295af22b9301bc5911ec95b27f66e5f0e37c771

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pkg-E65qVO\fd004b2b5fff29c554abb67c518c396c0763607ad5379f5b0b8278939042d711
    Filesize

    95KB

    MD5

    72f66f67bfce747c49efc4f462bd4e38

    SHA1

    7813d18735199b372d26d87964cb814ddcb49061

    SHA256

    b037a28fb72365d66595cc0f9c8df2f3f39099e25ad2519e26b6c6d47bb651a9

    SHA512

    28f8c2bd7a24188218573569eda6756a999c4980e5567cae018b536913c82eb78c9ba661da50d38d8ad2e5d974ef83869561c438686ddf8cbfe0ff0f9eed5623

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pkg\7984956807220d7b77abb773762539ce0e682514fdb6c7ca220bee203705df32\better-sqlite3\build\Release\better_sqlite3.node
    Filesize

    1.5MB

    MD5

    202e29d19fa31324f12660c254edec28

    SHA1

    19788f750907bc57aea7d9b5d6348bb12220831d

    SHA256

    7984956807220d7b77abb773762539ce0e682514fdb6c7ca220bee203705df32

    SHA512

    f0eeca2a33dc72410e2654d0549b7c619984cf180e158013a899b8174f4340ab62bd6fef6e2369ef7ddc2e2e0295af22b9301bc5911ec95b27f66e5f0e37c771

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pkg\b037a28fb72365d66595cc0f9c8df2f3f39099e25ad2519e26b6c6d47bb651a9\node-hide-console-window\build\Release\node-hide-console-window.node
    Filesize

    95KB

    MD5

    72f66f67bfce747c49efc4f462bd4e38

    SHA1

    7813d18735199b372d26d87964cb814ddcb49061

    SHA256

    b037a28fb72365d66595cc0f9c8df2f3f39099e25ad2519e26b6c6d47bb651a9

    SHA512

    28f8c2bd7a24188218573569eda6756a999c4980e5567cae018b536913c82eb78c9ba661da50d38d8ad2e5d974ef83869561c438686ddf8cbfe0ff0f9eed5623

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pkg\b887c3ab5c38b7fc096cce3d0d6dfbf4904058e9b6b6ec03853682850901ee26\win-dpapi\build\Release\node-dpapi.node
    Filesize

    140KB

    MD5

    de39b8c26c7799c4ad7b8268497095a2

    SHA1

    ce119ea75a986bcaf498ac3e3cde11ff2e986dd4

    SHA256

    b887c3ab5c38b7fc096cce3d0d6dfbf4904058e9b6b6ec03853682850901ee26

    SHA512

    6be50bbb6c38c2421956733134280cde08244deb33776fa58309f1efdaa74896847cec0aabb46247a9e6bda4e618b72e36e39d3e4dad29e3c711eeaf03aaf586

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\~DF51091160A171B9F8.TMP
    Filesize

    16KB

    MD5

    b660051fdaa63721cb2e0a718755bc34

    SHA1

    4f7e8e9cd1a0dd0ece0c2495c2ff45518f061032

    SHA256

    ce138786b6d99e819716d80980061587deedee7a2f5259ff70d71ed1a1a55657

    SHA512

    f1108e47f498723d4ef354a43567e7f87d10448ca4f9507bc35289c6287cb59965abcc8cc118593f63fd0a41e2aac7d33946c0ecde19bf6ca3a2ce8ba2a268a7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe
    Filesize

    44.2MB

    MD5

    6bbbedc66db9019315097eb284651253

    SHA1

    f5baff877a2f37a74fd2aadd6987595d3cb40418

    SHA256

    f7c069884567b57b0242833824223d3a6575d97e66a1c85f62d665b710e8b0c3

    SHA512

    ca0b201651213d6667aa199b15815113cda6055d4b0bd4b322356ad6ed0a12093f075a848a292a1c763fadced7b8b86a2964a8b47d400c5a2fbf721389556a49

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe
    Filesize

    44.2MB

    MD5

    6bbbedc66db9019315097eb284651253

    SHA1

    f5baff877a2f37a74fd2aadd6987595d3cb40418

    SHA256

    f7c069884567b57b0242833824223d3a6575d97e66a1c85f62d665b710e8b0c3

    SHA512

    ca0b201651213d6667aa199b15815113cda6055d4b0bd4b322356ad6ed0a12093f075a848a292a1c763fadced7b8b86a2964a8b47d400c5a2fbf721389556a49

    Download Submit
  • C:\Users\Admin\Downloads\ExtremeUpdate.exe
    Filesize

    44.2MB

    MD5

    6bbbedc66db9019315097eb284651253

    SHA1

    f5baff877a2f37a74fd2aadd6987595d3cb40418

    SHA256

    f7c069884567b57b0242833824223d3a6575d97e66a1c85f62d665b710e8b0c3

    SHA512

    ca0b201651213d6667aa199b15815113cda6055d4b0bd4b322356ad6ed0a12093f075a848a292a1c763fadced7b8b86a2964a8b47d400c5a2fbf721389556a49

    Download Submit
  • C:\Users\Admin\Downloads\ExtremeUpdate.exe.fwtj8xi.partial
    Filesize

    44.2MB

    MD5

    6bbbedc66db9019315097eb284651253

    SHA1

    f5baff877a2f37a74fd2aadd6987595d3cb40418

    SHA256

    f7c069884567b57b0242833824223d3a6575d97e66a1c85f62d665b710e8b0c3

    SHA512

    ca0b201651213d6667aa199b15815113cda6055d4b0bd4b322356ad6ed0a12093f075a848a292a1c763fadced7b8b86a2964a8b47d400c5a2fbf721389556a49

    Download Submit
  • memory/2288-570-0x000001D0600C0000-0x000001D0600C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2288-565-0x000001D0600C0000-0x000001D0600C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2288-564-0x000001D0600C0000-0x000001D0600C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2288-571-0x000001D0600C0000-0x000001D0600C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2288-569-0x000001D0600C0000-0x000001D0600C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2288-573-0x000001D0600C0000-0x000001D0600C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2288-572-0x000001D0600C0000-0x000001D0600C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2288-574-0x000001D0600C0000-0x000001D0600C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2288-575-0x000001D0600C0000-0x000001D0600C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2288-563-0x000001D0600C0000-0x000001D0600C1000-memory.dmp
    Filesize

    4KB

    Download