Overview

overview

7

Static

static

1

1014072485...df.exe

windows7-x64

7

1014072485...df.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 05:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1014072485c91f77713e68258bf794df.exe

  • Size

    563KB

  • MD5

    1014072485c91f77713e68258bf794df

  • SHA1

    3ba18050f2d3f882a5a0bbf1866542b0730a47f2

  • SHA256

    e8a3fbef6f12cf9a7e499c990bd3ebf5b305c8c7c1aafc7090ffaa9972ffb685

  • SHA512

    4879e702d13e94398a0b0d033b53a89f9418e313369e7e04e324f6605186a981e2611a2a8d82774398b783b5c2ee8d9d9221300cbf6d78a371db1f7b7e0c4f66

  • SSDEEP

    12288:YwX5pxng9W3aOs7ZAl+JcecUDwt4lhKX6OC0puOtOCRJ3:YUpO0ajiAcecUDw+39I

Score
7/10
adwarediscoverystealer

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 27 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1014072485c91f77713e68258bf794df.exe
    "C:\Users\Admin\AppData\Local\Temp\1014072485c91f77713e68258bf794df.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Program Files (x86)\CloudWeb\cloudweb_svc.ex_
      "C:\Program Files (x86)\CloudWeb\cloudweb_svc.ex_" /stop
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:3004
    • C:\Program Files (x86)\CloudWeb\cloudweb_svc.ex_
      "C:\Program Files (x86)\CloudWeb\cloudweb_svc.ex_" /u
      2⤵
      • Executes dropped EXE
      PID:2704
    • C:\Program Files (x86)\CloudWeb\cloudweb_svc.exe
      "C:\Program Files (x86)\CloudWeb\cloudweb_svc.exe" /i
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:2568
    • C:\Program Files (x86)\CloudWeb\cloudweb_svc.exe
      "C:\Program Files (x86)\CloudWeb\cloudweb_svc.exe" /start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:2488
  • C:\Program Files (x86)\CloudWeb\cloudweb_svc.exe
    "C:\Program Files (x86)\CloudWeb\cloudweb_svc.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    PID:1316

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\CloudWeb\CloudWeb_run.exe
          Filesize

          127KB

          MD5

          e8f26315c9e6e98ea8db67c6960e8060

          SHA1

          1d358e4fd9706aaf08014866631e2d4c85c43343

          SHA256

          1c942e596a377afbf25ace076952555b1af74e7f5b2126322ae8ebf2447e052b

          SHA512

          b90cf5ff58cc5499bc0e1a6e2e721136b69769ff821873b684aa74d6fd38d18e60c4cdce0b50967f7f0a0dc2a53b21d6bb3b286d1ae85ee69a320d4812939b10

          Download Submit

        • C:\Program Files (x86)\CloudWeb\Log\cloudweb_up_20240101.txt
          Filesize

          231B

          MD5

          72bc9e621c7fb5b64b99f78b6749cd50

          SHA1

          9c200879f86d4276aa5bc1644d07e9f5c7883cfc

          SHA256

          7aa5edb8c7470e3d39b9a55c387a1e41ec67453b9c8b4af849d9178c96bce117

          SHA512

          0860d421d3951aeecbec0b619682149f303a29567ff3e0af46083cb229a8987f0edfe98bdda9e519557445a2feeeb7f5657c66930304e8e990734ac9ccad34dd

          Download Submit

        • C:\Program Files (x86)\CloudWeb\Log\cloudweb_up_20240101.txt
          Filesize

          305B

          MD5

          80f5399f0fe87155463bdcf5cdc311d9

          SHA1

          2c07956cd91f67e8d0ec9ecd85a4760a24aa05bf

          SHA256

          a9f66f404a35c40da652b0daec9d96cb7cbdc5c02b9e928a850cee46b02a0d99

          SHA512

          4ff5e456551bcd6d3b298243aa551ade5fcd811229223f9493fae88a0daebadddbb1f5186fe312f54b7d837315a14c4adbfd71ed8432f7262d46902064a171e6

          Download Submit

        • C:\Program Files (x86)\CloudWeb\Log\cloudweb_up_20240101.txt
          Filesize

          379B

          MD5

          fd15e86a52ba02ed7bdc68f8262745a4

          SHA1

          9c1868a9fb423126c4649c5c3eb7d4a0cc788b04

          SHA256

          9df3df8f90e5607fd703420caa0f33891cb39bfd115d008574d4e82550c21ec9

          SHA512

          b6f0e622772b93bef01960bbf842121da3be097f7cd6c2c39044ba1a3bd1318f24258c9b6624c84b31c22078d03f2a39da65e79a6f0b40f9f4aee63bfbcb0d31

          Download Submit

        • \Program Files (x86)\CloudWeb\CloudWeb_2_61.dll
          Filesize

          123KB

          MD5

          f4253f1090546ac03240a6874192fc4c

          SHA1

          6cf7317b589103e82adfbf3758a1b86691e064cf

          SHA256

          dbe10fbff62d027c6805241262da673494c76bdeb65dc8d7801d914371cfdefd

          SHA512

          29e40ea61c602e955b21909a227ce07b6d076fd526173f990ef261e4250c1e9e66b11949e27c7ea564dba19cde89460da475919b1e07ca09e1662bd7039591ed

          Download Submit

        • \Program Files (x86)\CloudWeb\CloudWeb_mime_2_61.dll
          Filesize

          211KB

          MD5

          519ef5dfaa216b5ef8eda0b044882a31

          SHA1

          a82bf144770ab9ab1bd705839d59ddd3df93dea2

          SHA256

          7df5ea5b776e2efac5f57656e22135f3e63feeb7d84fca1063cbaa0a3ef01fd6

          SHA512

          91dfc0d869b828d1cce48ba0a13fb78579c48368f124397313bcf84d6e193466dbc6a783a8950d24630058b40ce4713855489d9c81c418be1390c648e54344e6

          Download Submit

        • \Program Files (x86)\CloudWeb\CloudWeb_tb_2_61.dll
          Filesize

          127KB

          MD5

          b9c2144c743bea7f56ff8306d131b767

          SHA1

          414212011d97d798448b465c637c4ee812a0741a

          SHA256

          297f880b5f44e420e504f814b5d5b6d0a384b30ab51731cde9954769dde59a5a

          SHA512

          9914e0dd894098554c5d8dc085e036c671fce06da4290d1f3ffd9f2abc62ecbde89f685366a1d031c88384fbcb18f08d900eb64b63b2bb17ab734364bf043866

          Download Submit

        • \Program Files (x86)\CloudWeb\cloudweb_svc.ex_
          Filesize

          103KB

          MD5

          3acfb38c7afaa829b27d1bd853f4c4a0

          SHA1

          9e4bdb7d11be5a08cbb0c83d310208af0ea11943

          SHA256

          caf4d9741a12b48c30030d4f8e50e7ba86772d23c89d6d87719441ff3411a9ba

          SHA512

          74468e9264cb3947a47b302021843c4f934c0b7d718a40ff9b9a68e0d9c5c514276ff45386890cc649357bbfd706a3808fff750026376135086d6044ad4c7f70

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nst58FA.tmp\System.dll
          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nst58FA.tmp\nsProcess.dll
          Filesize

          4KB

          MD5

          8f4ac52cb2f7143f29f114add12452ad

          SHA1

          29dc25f5d69bf129d608b83821c8ec8ab8c8edb3

          SHA256

          b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04

          SHA512

          2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c

          Download Submit

        • \Users\Admin\AppData\Local\Temp\~nsis\CloudWeb_nad_2_61.dll
          Filesize

          515KB

          MD5

          10e0f8f45b687dcc8a2dd2c8910008e0

          SHA1

          1b6dce882ec2710570e2cfc0dc6d297bee9b5333

          SHA256

          bed0defadc0b8febb9b198fafd1bcbcab989b92ca0e55cdb2752193ed6000b62

          SHA512

          2375b3b265c9b4bff97c609622f4cdf3b16da41b04ea0905b8b92ed7e7eb94eb1c4069dbbba55b274a0e877fb4985bfe0839bcffca2186e7a8f88916b9923cec

          Download Submit

        • memory/2848-39-0x00000000003E0000-0x00000000003FF000-memory.dmp

          Filesize

          124KB

          Download

        • memory/2848-46-0x0000000002890000-0x0000000002914000-memory.dmp

          Filesize

          528KB

          Download

        • memory/2848-43-0x00000000003E0000-0x0000000000400000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2848-7-0x00000000023F0000-0x0000000002474000-memory.dmp

          Filesize

          528KB

          Download