Overview

overview

10

Static

static

7

053ecfe44a...0a.exe

windows7-x64

10

053ecfe44a...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    053ecfe44a3f026cd57ca947ba0cbf0a.exe

  • Size

    37KB

  • MD5

    053ecfe44a3f026cd57ca947ba0cbf0a

  • SHA1

    27787448de35b99874c9f4f227fa2b4c797640bb

  • SHA256

    e22e081c5e641cbc0021100f184db29fa1cb0d55e7ced2ad1e9f9b5930a4ff62

  • SHA512

    fa3c98a5e5ef523303141c7bda879ed12c007f0a6199da2c5bbc073fca82c3fa6f0b86ef60ec7dc803da9b193538b6a59b6149daa3cddd75766ef9caaa03839c

  • SSDEEP

    768:RVGh82aiMC41JuGIdkJmPEGxm+A/0WXMSCnIID3+:y8Nn1oGiwO9B7WXRk+

Score
10/10
adwarepersistencestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\053ecfe44a3f026cd57ca947ba0cbf0a.exe
    "C:\Users\Admin\AppData\Local\Temp\053ecfe44a3f026cd57ca947ba0cbf0a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\sschost.exe
      "C:\Windows\system32\sschost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3908
    • C:\Windows\SysWOW64\kaceyl.exe
      "C:\Windows\system32\kaceyl.exe"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\SysWOW64\sochost.exe
        "C:\Windows\system32\sochost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1488
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /c C:\Windows\system32\kavsus.dll
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:3556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\kaceyl.exe
    Filesize

    20KB

    MD5

    4a6a030b4c32ebc79e600d9c475047e1

    SHA1

    b5d79f4f6ed357b3ea3a0b9aae968ae5718b0f4a

    SHA256

    f94890e9c92b55944e7e81fdc4f7f701c398dba0fd5a7298d959a4f07e9df2c7

    SHA512

    0d1d30a0a75c29d0de40e187873340c175c3118c5cb574efff80186fe56f7e5a98ee9876faa55300d5cd7aed4d974d9d96eadbed77e1043fcc89c64124df04ff

    Download Submit

  • C:\Windows\SysWOW64\kavsus.dll
    Filesize

    32KB

    MD5

    d6be87c92881df32d1b96fba57fcc369

    SHA1

    68c86111f62756c9499f0cef99d53f29392a76a0

    SHA256

    63eb609bda077a86601d6982561cbb7d0b0422cfe9a82d2b2e15247adc0ffce2

    SHA512

    70620a637346b5682540a8ea8e1585f4ebe4e8d61683dd1f839613002a8575a4e3d18938d5216da9805109601520f110f6f00cff978f634932eb5bfb8b3a727d

    Download Submit

  • C:\Windows\SysWOW64\sochost.exe
    Filesize

    37KB

    MD5

    053ecfe44a3f026cd57ca947ba0cbf0a

    SHA1

    27787448de35b99874c9f4f227fa2b4c797640bb

    SHA256

    e22e081c5e641cbc0021100f184db29fa1cb0d55e7ced2ad1e9f9b5930a4ff62

    SHA512

    fa3c98a5e5ef523303141c7bda879ed12c007f0a6199da2c5bbc073fca82c3fa6f0b86ef60ec7dc803da9b193538b6a59b6149daa3cddd75766ef9caaa03839c

    Download Submit

  • C:\Windows\SysWOW64\sschost.exe
    Filesize

    20KB

    MD5

    71e241d422dab0aa95b0e222074faaf4

    SHA1

    61fbb443bee657bf1fb4628a96fa123a989c13a4

    SHA256

    89fc8a546f5551f27d5e6b5216555f967d387011a92f0cfd9400b5c58d208721

    SHA512

    4d4986ed3a46ae042bcd20aa455ca4932d17d73584c30c19a2e2bc29e279d36493ae42d4caf8429eaadb92ddd4c3f58c019203ec33c99e8b622c363fddd6c472

    Download Submit

  • C:\Windows\SysWOW64\ssdtt.sys
    Filesize

    2KB

    MD5

    f8ecd47e116c0c6304ba7a652bd7cbd4

    SHA1

    522e7efc1cef4e790d88b97b2524b43a071413e1

    SHA256

    afd36c473f8f7c83da46f27d86fae04beef761a3321bdd5a731afddfd4a2e546

    SHA512

    76535b41926c4d7b54b8ca5e8aeec91b6b18d87f26d7cea5691540905ca2818dc331df41be185399aac9ae1568f22d300c1c08df159d405b623b4caf023abe35

    Download Submit

  • C:\Windows\SysWOW64\winsys.ini
    Filesize

    91B

    MD5

    176db116c4fdf1f17e781f1848b8be66

    SHA1

    d760d66f88e41e740c4a6d021daf1a15dbd2c0bb

    SHA256

    581b950d947e387f6a8192bb7f835b2b7e4549343e58b54c9e859957062b8752

    SHA512

    b68b577050fe1c2c6cae663d21b452aa07edb3f716bc3183af466deff18b816d9b198f22c582d906ceecab2726b017453090b80cedd3982c404d98bb2b2b9172

    Download Submit

  • C:\Windows\SysWOW64\winsys.ini
    Filesize

    26B

    MD5

    d8ab3ea023fda33b8017ccc4748534f8

    SHA1

    e5c8b0f40ed03ad98f0d207ee073af2ee925db78

    SHA256

    14776c2d9c1446833752ec1c0686cc74bee4c3bd3036b3ad7cf51249ebe381ab

    SHA512

    0a6ab8641e77dcdc9b33e49462404aaf43ca549122d6fd5afc72448b5f50558859657d64d66d38415e752c05abaa225e545310986516eb1af0f691ff690ec5e0

    Download Submit

  • memory/1488-48-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2856-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2856-1-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2856-30-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download