Overview

overview

8

Static

static

1

Staveres.exe

windows7-x64

8

Staveres.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2023 15:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Staveres.exe

  • Size

    459KB

  • MD5

    1d817513c51104071b5c310203a90139

  • SHA1

    e6e1a674ff10efa42cfa4db53e10fbe7884f7260

  • SHA256

    6fb3981c8ede1c32d2ad2d36ef5c2cd825fd7b6c99accce7475af9037e396230

  • SHA512

    ff82c028b3baa2fa35b1d9cca90389face064b17614f699d529349ca670b57b453521afb62676fde653fec074d7f338af5b27c0303abf06ffcb7bdb9e2db22ef

  • SSDEEP

    6144:pR+xXfJp6qOC0IdGFsnNmFXBf/NdU9ETyApuPzLwv2uvGfBbazwJoek5TkRvODXT:HqjLPd38RfvU9ETye862LbteV0v4Zl

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Users\Admin\AppData\Local\Temp\Staveres.exe
      "C:\Users\Admin\AppData\Local\Temp\Staveres.exe"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Altsaxofonisters=Get-Content 'C:\Users\Admin\AppData\Local\Temp\picote\terperierne\Dhanush.Bor';$Ferieliste=$Altsaxofonisters.SubString(51473,3);.$Ferieliste($Altsaxofonisters)"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
          "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
          4⤵
            PID:324
          • C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
            "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
            4⤵
              PID:1760
            • C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
              "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:600
        • C:\Windows\SysWOW64\cmmon32.exe
          "C:\Windows\SysWOW64\cmmon32.exe"
          2⤵
          • Adds policy Run key to start application
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:2344

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\picote\terperierne\Dhanush.Bor
          Filesize

          50KB

          MD5

          690f63529970d4e1b9ef1573978e94ca

          SHA1

          4fef7a7ab2abe8eac100489aaca449cf09b699e7

          SHA256

          55c0f22c9cf163b3a946425b7c37d79a808867f77a989dcbaffb8289c42a646f

          SHA512

          d6045a6c45251607448af1375ff2fe654cfc399648e0e5cad8004b58a20164e63535559e8ea4db202b41ce4167f6172ac9d86ea353ae47268da339564fd7afe8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\picote\terperierne\Gangtj.Com
          Filesize

          264KB

          MD5

          2a527a44a9bf0d0f8821242c8598c8a3

          SHA1

          50bef44b72f19cf66579cf1bd3a701a7e37df94a

          SHA256

          d44af2fd65ecfe3ae5928f0ffed1e9deacaabf58d0cae796d313b6feaf0f7a1e

          SHA512

          49392af32f98e0118182037fefd3e600b92356b6d617bb70b30aee1813f0180a80fefd2f57622af5d4329e5393588df0b81296699996b52849821b2c614d843e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\qpttihc.zip
          Filesize

          434KB

          MD5

          6366b1751087ba991f1b4188a3f38486

          SHA1

          449fab91dcd435e62a96dc4b400671ba0460a84a

          SHA256

          3102600d3ad67b0e3f132bc0f8e0e66d976ba3700c3cc96459b65a87fa57c373

          SHA512

          e1a8eb6dcfe0732299ccf74a0e61acbd132da4abac8aad996c2ba481328c0671530a55347f694f23a01a40e2343976196fc09fdd4573ab996a8a88d8e7693b90

          Download Submit

        • C:\Windows\SysWOW64\irreluctant.lnk
          Filesize

          1KB

          MD5

          a24d9313fea264558c74e126568db925

          SHA1

          94d2e15ff52db00fc8d9f0908ced3fd109414e60

          SHA256

          0428265de244a4f15140ecbdc3e22590635458ecc5a4172550dfc9d14cf011a2

          SHA512

          425c2801c132a85e0f46ba65afc277b7dcb8ef276372809356de3882126a8cac60f1c9a6f40c28fc402e5b4430a31947c55c81332927ba700e5e579bae28a157

          Download Submit

        • \Users\Admin\AppData\Local\Temp\sqlite3.dll
          Filesize

          831KB

          MD5

          f4d8be409d1bd016a7b3b2580a2b90fb

          SHA1

          a68e1f6a9b2234f2269d9cf1fbda94124c428dbe

          SHA256

          d70b27121bb33012560b14a7bd597666d76193d7dc5f89e2ac5e7507240bf708

          SHA512

          9892cd38d77898fe7916a8810c82a377bbcb4f0c3f75a8295943fa29a5cb4daec95a1600a74614f31ec723967fd95721174042f2e54b12e52fe85202cdf052df

          Download Submit

        • memory/600-182-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

          Download

        • memory/600-191-0x0000000005530000-0x0000000005552000-memory.dmp

          Filesize

          136KB

          Download

        • memory/600-190-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

          Download

        • memory/600-187-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

          Download

        • memory/600-195-0x0000000001470000-0x000000000527F000-memory.dmp

          Filesize

          62.1MB

          Download

        • memory/600-186-0x0000000021410000-0x0000000021713000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/600-196-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

          Download

        • memory/600-185-0x0000000076F50000-0x00000000770F9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/600-156-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

          Download

        • memory/600-157-0x0000000076F50000-0x00000000770F9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/600-176-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

          Download

        • memory/600-180-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

          Download

        • memory/600-181-0x0000000001470000-0x000000000527F000-memory.dmp

          Filesize

          62.1MB

          Download

        • memory/600-184-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

          Download

        • memory/600-183-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

          Download

        • memory/1232-203-0x0000000008BB0000-0x000000000946C000-memory.dmp

          Filesize

          8.7MB

          Download

        • memory/1232-192-0x0000000008BB0000-0x000000000946C000-memory.dmp

          Filesize

          8.7MB

          Download

        • memory/1232-247-0x0000000006D30000-0x0000000006E02000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1232-201-0x0000000006D30000-0x0000000006E02000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1232-202-0x0000000006D30000-0x0000000006E02000-memory.dmp

          Filesize

          840KB

          Download

        • memory/2876-197-0x0000000000080000-0x00000000000BA000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2876-200-0x0000000001C90000-0x0000000001D31000-memory.dmp

          Filesize

          644KB

          Download

        • memory/2876-193-0x0000000000080000-0x00000000000BA000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2876-194-0x0000000000080000-0x00000000000BA000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2876-246-0x0000000001C90000-0x0000000001D31000-memory.dmp

          Filesize

          644KB

          Download

        • memory/2876-245-0x0000000061E00000-0x0000000061EBD000-memory.dmp

          Filesize

          756KB

          Download

        • memory/2876-198-0x0000000001EB0000-0x00000000021B3000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2876-244-0x0000000000080000-0x00000000000BA000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2960-150-0x00000000739A0000-0x0000000073F4B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2960-155-0x0000000077140000-0x0000000077216000-memory.dmp

          Filesize

          856KB

          Download

        • memory/2960-149-0x00000000047E0000-0x00000000047E4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2960-146-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2960-145-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2960-144-0x00000000739A0000-0x0000000073F4B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2960-151-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2960-152-0x0000000006480000-0x000000000A28F000-memory.dmp

          Filesize

          62.1MB

          Download

        • memory/2960-154-0x0000000076F50000-0x00000000770F9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2960-143-0x00000000739A0000-0x0000000073F4B000-memory.dmp

          Filesize

          5.7MB

          Download