Overview

overview

7

Static

static

1

URLScan

urlscan

1

https://hex-rays.com...

windows10-2004-x64

7

Analysis

  • max time kernel
    246s
  • max time network
    249s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2023 18:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://hex-rays.com/products/ida/support/freefiles/stealth.zip

Score
7/10
aspackv2

Malware Config

Signatures

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Modifies registry class 14 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SetWindowsHookEx 34 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://hex-rays.com/products/ida/support/freefiles/stealth.zip
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3144 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2344
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1512
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_stealth.zip\plugins\stealth.plw
        2⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:264
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:264 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4220
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:264 CREDAT:82948 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4568
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_stealth.zip\plugins\stealth.plw
          3⤵
          • Modifies Internet Explorer settings
          PID:4664
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:264 CREDAT:82952 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4152
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3772
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_stealth.zip\plugins\stealth.plw
        2⤵
        • Modifies Internet Explorer settings
        PID:2808

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      6ed1b9e0ada67cd4e13ffe2ebff3202d

      SHA1

      26e57e0292d9b0fdf705748d723c197e50225bb5

      SHA256

      e4256833d3e11cd58e3725ea44482597742a652041a44b3339d371739a6e5735

      SHA512

      749783679cbd1f6f06ea031c22cc262152d57da36acf3778ac54717f5d9400aa0ad388b9898f5b0ff9bdf666f7f4c4ec590f770d48d1bf4301d05ad944746a33

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      d127bec7dde664f8cae8e1ba40baf317

      SHA1

      b141892df0245a8e9a56863222d84ec6458e9dce

      SHA256

      f4176027989b5889a5c99479e4d2a5373f2c07a9d4d7e0c3213d01de666bf673

      SHA512

      ee03f27168c6a5019f43e5cd36086ddce9d9e74543a063e9d8ca22e81553fa7a576ce93f4184aaccba8e9d82d2662099e474675e44249a2161ddb917b3f8c289

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1B83N948\stealth.zip.n8mu01k.partial
      Filesize

      33KB

      MD5

      61e81dc742a4e554e049bd773bfabdce

      SHA1

      59adb74c7be807cfee422215188d609ffc980a92

      SHA256

      4d5176d1854b96b6f6fcaeb04a2bfee8881db88f67638c58b5473011d357fe41

      SHA512

      dddbe6f17a9de80da4241321337272cb733339c1d53389132e99bc67c4f5e716b3e24dadbd3e4cebbef416431cf229680abfeeb47e5dd2c419e7c77e0133ee47

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P8NMKCW2\stealth[1].zip
      Filesize

      33KB

      MD5

      61e81dc742a4e554e049bd773bfabdce

      SHA1

      59adb74c7be807cfee422215188d609ffc980a92

      SHA256

      4d5176d1854b96b6f6fcaeb04a2bfee8881db88f67638c58b5473011d357fe41

      SHA512

      dddbe6f17a9de80da4241321337272cb733339c1d53389132e99bc67c4f5e716b3e24dadbd3e4cebbef416431cf229680abfeeb47e5dd2c419e7c77e0133ee47

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P8NMKCW2\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~DFF602A0A96FAF5D63.TMP
      Filesize

      16KB

      MD5

      1c52858a49eecbbc3e61dcdea802f97f

      SHA1

      b43bf27a001fe2ac0cceb1291778b6beb5a75302

      SHA256

      923db19b537436f452bc28bb86291fe58290d8873663a4dfb8fccbc1a44a394a

      SHA512

      64aff4a7709f52dd41bce2a61a346c2455d786aa5122e1f857bb5199ef0bc00f303b0db6a6cf290eaa9d92730e91dc00105b3b29b6ba03ffc144b96c51bc41b1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
      Filesize

      3KB

      MD5

      70afe971ddb2c6a34fde172301240d73

      SHA1

      892f033de00a1d0152401786a08a166ab7cf89a3

      SHA256

      d42f247a1eeedc39e84021122166f4defe82c11c6dc34126e9cf89ee3da07faf

      SHA512

      3052c8a2a1dfe7c7d63ac9b834c645c3d12a68b05a9fa318a92ea5b5e38596c5dbfc621cf40c5af10d378913342d2bcb7f77f659002d47940bb88d7bda2743f3

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
      Filesize

      3KB

      MD5

      6e04fbf7dbce76e98cf3f45cf2887218

      SHA1

      85f91de2b0877b56e27bfec4a52bfc93d3c3f157

      SHA256

      91b3cf633e758584845f61e0e5e2383c7a853655ade73caf5dddefe0515b8ee5

      SHA512

      732e5a3142a6aa2e098eb3c416cd4edf2100648fb5f76937ccea1ea79ccb8aad96011cc360eb37e69b09d79bb5d683b4ebaef4820f3998488d701a3a5a416699

      Download Submit
    • C:\Users\Admin\Downloads\stealth.plw
      Filesize

      33KB

      MD5

      1e8148c0ed59d81879b067d580980f61

      SHA1

      281b6e0bf1e794323410178d7a0f8f48c2c44059

      SHA256

      242d4a0ca869a650a41bf4be0e7a84001ccd3f85a5ac35c8445ae9d45754f845

      SHA512

      c38dccdbf4d183278d607ff703dab6ddd46cff3520947a682df309db3afe5fe6afceaca904faa0a70173667f6408c521fa90f84828fd463846a53608313ac57f

      Download Submit