Overview

overview

10

Static

static

3

4522d9fd93...ea.exe

windows7-x64

10

4522d9fd93...ea.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 00:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4522d9fd935a0d761ec008b33eb734ea.exe

  • Size

    471KB

  • MD5

    4522d9fd935a0d761ec008b33eb734ea

  • SHA1

    55c028531e48f1fd9de7c41c9dbfd50eeec27007

  • SHA256

    cfe1f58f8f8ec9bebb9ae59206340e6cb0b134a33dc8799a726186b0812eef40

  • SHA512

    75b4f0bb2664f3f413aacf9072531367a021f29bb8562dce250830dfbf285fb4d5d801c027b7d557bb6dacc84ca69e20035141e4f90533315541cc7a51250faa

  • SSDEEP

    12288:yQ2FiaReVSB5h20NmGA8/E9VYLNiPuV/m:yQ2Fia6yjN1VYVYLgP

Score
10/10
adwareevasionstealertrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • An obfuscated cmd.exe command-line is typically used to evade detection. 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4522d9fd935a0d761ec008b33eb734ea.exe
    "C:\Users\Admin\AppData\Local\Temp\4522d9fd935a0d761ec008b33eb734ea.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Local\Temp\4522d9fd935a0d761ec008b33eb734ea.exe
      "C:\Users\Admin\AppData\Local\Temp\4522d9fd935a0d761ec008b33eb734ea.exe" "runas"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Users\Admin\AppData\Local\Temp\129528315.exe
        "C:\Users\Admin\AppData\Local\Temp\129528315.exe" "C:\Users\Admin\AppData\Local\Temp\1555024821.bin"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4268
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c at 17:21 /every:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 "C:\Windows\system32\clipp.exe"
          4⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:3940
          • C:\Windows\SysWOW64\at.exe
            at 17:21 /every:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 "C:\Windows\system32\clipp.exe"
            5⤵
              PID:1056
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c at 23:52 /every:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 "C:\Windows\system32\clipp.exe"
            4⤵
            • An obfuscated cmd.exe command-line is typically used to evade detection.
            • Suspicious use of WriteProcessMemory
            PID:4684
            • C:\Windows\SysWOW64\at.exe
              at 23:52 /every:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 "C:\Windows\system32\clipp.exe"
              5⤵
                PID:4912
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c at 11:02 /every:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 "C:\Windows\system32\clipp.exe"
              4⤵
              • An obfuscated cmd.exe command-line is typically used to evade detection.
              • Suspicious use of WriteProcessMemory
              PID:2964
              • C:\Windows\SysWOW64\at.exe
                at 11:02 /every:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 "C:\Windows\system32\clipp.exe"
                5⤵
                  PID:3428
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c at 05:21 /every:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 "C:\Windows\system32\clipp.exe"
                4⤵
                • An obfuscated cmd.exe command-line is typically used to evade detection.
                • Suspicious use of WriteProcessMemory
                PID:528
              • C:\Windows\SysWOW64\regsvr32.exe
                "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\mfmkvsrccsnk.dll"
                4⤵
                • Loads dropped DLL
                • Installs/modifies Browser Helper Object
                • Modifies Internet Explorer settings
                • Modifies registry class
                PID:764
            • C:\Users\Admin\AppData\Local\Temp\190211240.bin
              "C:\Users\Admin\AppData\Local\Temp\190211240.bin"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:3192
        • C:\Users\Admin\AppData\Local\Temp\107171398.exe
          "C:\Users\Admin\AppData\Local\Temp\107171398.exe" "C:\Users\Admin\AppData\Local\Temp\1555024821.bin"
          1⤵
          • Executes dropped EXE
          PID:228
        • C:\Windows\SysWOW64\at.exe
          at 05:21 /every:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 "C:\Windows\system32\clipp.exe"
          1⤵
            PID:2796

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\129528315.exe
            Filesize

            202KB

            MD5

            32670744c6b48a55a156e348e4815d63

            SHA1

            50dab245554733c4c1cb8551e1bec063cac432e1

            SHA256

            a97b4043f52f78d4f4f0bd10295b2d609530d959a11b4e7337a471cc72bedf39

            SHA512

            9253c461313816145eae8918e6d37fc34250714ea610d2783a2733ea0ea57246c23e1e8ba107ff1650b873acf368edc4567b928cedfb1d25cd5f23763d7ec286

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\1555024821.bin
            Filesize

            402B

            MD5

            ca86c94cf9256cd2bf93e6639c32f61c

            SHA1

            371bad2dac6afaef6fa2311fdd16631e80c8c905

            SHA256

            1cd69c1dd920606cd6e3c42d6bff4f63e6d02a99edb6b3604ee6f182ff1374df

            SHA512

            14ace75dfa50b6dc5e51cef80981630c2177b3ea3ef8892c7938e0b91a325fc09d95bbcad2a841c8eaf156d9c418de64ad458344eb795ee6dcd7707f8423d2a9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\190211240.bin
            Filesize

            243KB

            MD5

            97bacf4e79415c1bd1afa578eefb2e35

            SHA1

            f7ae523b22e44106e4be136098f367614fd6061f

            SHA256

            b7488daa93b04130e29a35ac6c6445fdd6f240824a6b98ab76d2c87e9bdabc52

            SHA512

            a6524e2d74ab97e8158ed3457ba3481f70278ae7cba5ea861f59c60acd5dba4e3177124ebade52e94ca9f0d85d0a3d5c6b249f3b287d543645b4e4ad75142303

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\190211240.bin
            Filesize

            93KB

            MD5

            6cbe856f910a24cda424ee673029559f

            SHA1

            cda0d4e353f196d079e98d0816c0602f5dc018a6

            SHA256

            a79c9c7a043fdd5a907428658fdac0f1cda50262a77c68c6fa75455f947388e4

            SHA512

            426ae1671898f3558f5fc37ce290b078b05d9a02fb2177850078a430976d0ae8a7e2272b272debba8aeeca97ee3c2b889117e766ab8e06b9aa770ead170418a1

            Download Submit

          • C:\Windows\SysWOW64\mfmkvsrccsnk.dll
            Filesize

            176KB

            MD5

            8bf7b7689cc8b5b1e51bd06c35abd849

            SHA1

            4f2b8500da81453450d7cf6b19a72c9b121d7295

            SHA256

            d1721d05ac716373230f3044828a5d400c0884a62b7867d63f965a57bb414882

            SHA512

            71cf5cc2740a29df0f63cda56421356ebc49906516cb4776f81b292a9c0489a58b7589a946d317bc78d62dceb1b038b6bd70a0fb47b26cf5a1ffae1bade5c0ab

            Download Submit

          • memory/3192-31-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/3192-32-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download