Overview

overview

7

Static

static

3

4f9cced988...e7.exe

windows7-x64

7

4f9cced988...e7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 03:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f9cced988a73931fd48ccb42050c7e7.exe

  • Size

    704KB

  • MD5

    4f9cced988a73931fd48ccb42050c7e7

  • SHA1

    9c40227ec20c8938213fe1b6e65ae7c78c201373

  • SHA256

    6e5861addb5fd14b5a5e6d514d65357e4cf4ca108ac7e3e7240a3746b641819c

  • SHA512

    9db9a3162021aedb86d5897ab65b935c920cd4a4e88983be7fc50fd615fb757a6da0cf7d936da7a1420aafa9ad70ea665d758653bc9e9e2b6cb53c662fb42f7a

  • SSDEEP

    12288:l9Ot9JniEvpOoCUYO2wlv8ilSOW8RXOZoJQIcATRIk0xFJgh9up9V3ICwera4sPz:6nJ5xWUYlajSG+CaS0x/u9upb3Ze4sr

Score
7/10
adwarepersistencestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 46 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f9cced988a73931fd48ccb42050c7e7.exe
    "C:\Users\Admin\AppData\Local\Temp\4f9cced988a73931fd48ccb42050c7e7.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KidAutoPK4F4.30.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KidAutoPK4F4.30.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4872
      • C:\WINDOWS\Web\cftmonn.exe
        C:\WINDOWS\Web\cftmonn.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KidAutoPK4F4.30.exe
    Filesize

    510KB

    MD5

    f9797a384e524345ea91424f0f6cdbbd

    SHA1

    67f9b429a1bbdd5dc46b0174a1e19a3b2a969103

    SHA256

    2153b68233dec9f14516a81d4d323c128b08539c358d3d38aecf2ab292fa7b19

    SHA512

    18974a4bad9d593888235e24760687c29dc666ad88b0d9a7632ea529f0e21aa16f98be6b8bb04540b018f10cb60af97d3683aa3b813cc7b02c5fd8fce900b47c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cftmonn.exe
    Filesize

    428KB

    MD5

    9079881f212254a34660ec143ca3bcf9

    SHA1

    e2e79f424d0de904751803b9aa3e2468122aa95f

    SHA256

    307fb0a6dae9ec12525f0b53353e48184a6630c871834ee1f05bebefcf560bab

    SHA512

    51599423d28bf3fad2bd5e09c842644f11b4fc9f5cb5646e5a6fb548a4e56b985f3ea8ca075c6501000b26ce25cd9f2b868a4c37d013aeaee6d9ebfe359b6fbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cftmonnhk.dll
    Filesize

    24KB

    MD5

    54f967692fa729c17c02b92c418e155a

    SHA1

    fa900726cbe24cecd8c8d6c644a66c16a48d3aff

    SHA256

    02603da01bb033e264c48fa00fa7d77f2cb1672f4eb6c8d2f7fad727b0486ad2

    SHA512

    b441bd81520360f46118ad8d587924514bda2d366568ae3cc79e174fa222f96839c06d5ea1bee2038a890adbf7b84393f26092256380768393e651739770b8e8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cftmonnwb.dll
    Filesize

    40KB

    MD5

    cde4ef975f7f73787f9a8a9297246b6a

    SHA1

    fb06c767d70b1f7b19444c195f67484281af703e

    SHA256

    3c7e70341b4388ce13fb046975ada17c72612242a67f3bd54c996004152353d7

    SHA512

    006f9ba7482a32ccb2240f73a426feecd8196de977310f31452c70ca34a80a895c96ca364cdb2738eb77fe19163aec1db8baf2a2ad25b994fb18c6262694905e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat
    Filesize

    996B

    MD5

    94ff38f9cc1eba2948f37979dee45b92

    SHA1

    fde795bb23e7e45464137f479a0e730f85c723ed

    SHA256

    1ec1b507ca7290111db1924ae3932edeefd012156ff0b5c06f76518001558692

    SHA512

    7f1bc997426bfb12a39dbdae052e3c3b414935827203e4916365f794a3b80f96e1c913a170b286a1ca737de8e00e5866e8cc51c5c90d6036d376674eeb194d2d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin
    Filesize

    4KB

    MD5

    818a9c7d936b26a12d136888f09ce891

    SHA1

    f878de9cd714eca8e618180454f0adf7c26f292c

    SHA256

    7d8261a2624553c78552e3e7b62440881999ada859892e3818775e4c63686d97

    SHA512

    93aae33084a618c838b26ae57e374ae65b0f26c572960cae912a9622d37622b8e306fd532877bd0ab6ff7405686c25c4a8b2b25bf13b859602ea39f73cf737af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
    Filesize

    7KB

    MD5

    a455ca431e66975d886f1a8cfee8cb9f

    SHA1

    95868529973c77199b76ec593a686d9b324dee8b

    SHA256

    6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

    SHA512

    53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

    Download Submit

  • C:\WINDOWS\Web\cftmonn.exe
    Filesize

    428KB

    MD5

    bae0fb25bcf05a5da7fde8dce759ee0d

    SHA1

    bc74b07d14a63ce572755c70ceb796136d129e20

    SHA256

    b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d

    SHA512

    74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929

    Download Submit

  • C:\WINDOWS\Web\pk.bin
    Filesize

    4KB

    MD5

    9807fbc03a02f4dabd481efcaac71b0f

    SHA1

    e816f33c220e357c3baeb7487768d82da08eea40

    SHA256

    be30d29869038ed1ae2963221ceb223405b7b939e1474e2fb188fd412f774f39

    SHA512

    2a9a5f831f0eb925d39fee38e371d4502b6e53f75ce2dc10c8a43008629a54ac264f08dbafd3827672dcb303046beecd190aa88cbb91359bca9565b1645279fc

    Download Submit

  • C:\Windows\Web\cftmonnhk.dll
    Filesize

    24KB

    MD5

    58129986fa29f6dacd99ab45f60bcb3c

    SHA1

    7f21995794a060fc8629e0d113cf568de14c509e

    SHA256

    525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

    SHA512

    62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

    Download Submit

  • C:\Windows\Web\cftmonnwb.dll
    Filesize

    40KB

    MD5

    2e6016325548ab79e2d636640c6ec473

    SHA1

    586e2b84d46ef00e26c1686033def28e8a9995a5

    SHA256

    62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e

    SHA512

    1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

    Download Submit

  • memory/4052-64-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4872-65-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download