Overview

overview

8

Static

static

3

04d4326343...e8.exe

windows7-x64

8

04d4326343...e8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 21:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04d4326343cdf1d4baef0f88aee6dce8.exe

  • Size

    13KB

  • MD5

    04d4326343cdf1d4baef0f88aee6dce8

  • SHA1

    427d54e74f33b594ccf789145044e87cf7325492

  • SHA256

    609e27656ad00574815d2a355cf429da58e082ff6ba245e74e06335a4113ea14

  • SHA512

    a1233dff180afe52e8fc65d21b42ef9b1d97a98e8206bfe4183e85051b635e5956ce70355fd93abb7ca7caebdfdc9b27277ef8919a9ba9c7bb6a7e276d7158bb

  • SSDEEP

    384:FtTdZjseIebeqoM6Jw3toQTgQBi88+wYzLY:7bfLFoM76QTf4BYvY

Score
8/10
adwarepersistencestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04d4326343cdf1d4baef0f88aee6dce8.exe
    "C:\Users\Admin\AppData\Local\Temp\04d4326343cdf1d4baef0f88aee6dce8.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Windows\SysWOW64\issearch.exe
      C:\Windows\system32\issearch.exe
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in System32 directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:1916
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\04D432~1.EXE > nul
      2⤵
        PID:4620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\issearch.exe
      Filesize

      28KB

      MD5

      fc7b0c097f584c0090b7dd5b8ec59934

      SHA1

      faa106f33bcb592fb876e4d44a3b481827aeea4b

      SHA256

      dacc6f71bd1c3069fba75abfcaac97359aa949a92d4bf92119a19d38242a0623

      SHA512

      1c159073ef7d5f8f220a2eb4bdc072aff8db2941a7cde854828f5cabb526fbe0ae1d8fc5f35085c01101ecf3eebbd2d93c01e15b840cb459291742cc1d61eb94

      Download Submit

    • C:\Windows\SysWOW64\ixt0.dll
      Filesize

      18KB

      MD5

      0164585125ce7417a90db7afa671536f

      SHA1

      74e24beea416fb9c0a23fd66102909b46110f03a

      SHA256

      e11c7aafc30d9d0b5da7364058e7949150d8a0ab71e7f4c583ff64f81dd9206b

      SHA512

      ad2636db623c4645bd1c86cf5f6a98f2403c51ba4a09468f3b573d9681f342c2a7ead0a37d5b5a6a349c45d5e143fe3037674be3190331d529bac65379b2314e

      Download Submit