Overview

overview

8

Static

static

3

1773565cd9...ca.exe

windows7-x64

8

1773565cd9...ca.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 11:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1773565cd9cfff6c1e570c1cd8996dca.exe

  • Size

    459KB

  • MD5

    1773565cd9cfff6c1e570c1cd8996dca

  • SHA1

    45f2df63ac7b82d2b2ae87a4ce03324b32c39f81

  • SHA256

    38dcaf30cc9d82ee6b919db70bc954dbee92bc9b370f5ead158339932ba9b027

  • SHA512

    f3ba89bd6ecac710606df46317281a87010414cb7360b55d409d38cf655a068109163f78c992d964f188d4f5346f9e649bc84a5239703dfe07ab48b368646fa0

  • SSDEEP

    6144:1G3FnRQ3CTZyokIeWIo2i1oUSvEGkJXc5ILB2+PWzFLKlXlBk1RPd/WhubkirBt2:016ucvECUBv+hZzcd7aEARLWF

Score
8/10
adwarebootkitpersistencestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 3 IoCs
    persistence
  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 52 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 15 IoCs
  • Drops file in Windows directory 14 IoCs
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1252
      • C:\Users\Admin\AppData\Local\Temp\1773565cd9cfff6c1e570c1cd8996dca.exe
        "C:\Users\Admin\AppData\Local\Temp\1773565cd9cfff6c1e570c1cd8996dca.exe"
        2⤵
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\6f11.dll"
          3⤵
            PID:2664
          • C:\Users\Admin\AppData\Local\Temp\laf\miniup.exe
            C:\Users\Admin\AppData\Local\Temp\laf\miniup.exe
            3⤵
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2676
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 "C:\Windows\Downlo~1\nl0gz8.dll",Run
              4⤵
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2500
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 "C:\Windows\Downlo~1\y3bsb.dll",start
              4⤵
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2472
          • C:\Windows\SysWOW64\f1971.exe
            C:\Windows\system32\f1971.exe -s
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:944
          • C:\Windows\SysWOW64\f1971.exe
            C:\Windows\system32\f1971.exe -i
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2344
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\6f11.dll"
            3⤵
            • Loads dropped DLL
            • Installs/modifies Browser Helper Object
            • Modifies registry class
            PID:2744
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\system32\rundll32 C:\Windows\system32\f61.dll,Always
            3⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Writes to the Master Boot Record (MBR)
            • Drops file in System32 directory
            PID:2072
      • C:\Windows\SysWOW64\f1971.exe
        C:\Windows\SysWOW64\f1971.exe
        1⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Drops file in System32 directory
        PID:2392

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\laf\bho.dll
        Filesize

        52KB

        MD5

        f8f15a3bf018061ed8175c38b7adcdbd

        SHA1

        1edcd70fbdc0fa214d9945fbb06ff8cb744227d0

        SHA256

        6fb6cbb52552c4ddfeb1ec388708439871e5ac17eda1dcf7b3b3dfc9db96c899

        SHA512

        21a57f06650e46af61ab76121f6834568e7e5968bd95813d81766456e79a9690885919644e750a193a921322d3ab31150c4d3253468a8a040a2e7eb3780f69fd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\laf\play.dll
        Filesize

        828KB

        MD5

        4fdf61c32981034098c0dd89fee696a9

        SHA1

        d50c5e1fdb0ac93830f8375d82c6616c94eb2874

        SHA256

        95cfb8c6a2f5e93ab66070a67ef5ee4719aa69e8a40b2facaae37aee05f017f0

        SHA512

        e700535511c506252c6100847d5c9bffe1c033422590d1c33f4357354bf8349a4d4aac313c2d21f620d1ce0a021c69197b194e871964fa3124f95e5eff173823

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\znwjpvf6\miniDll.dll
        Filesize

        48KB

        MD5

        b183eb58336f1bf3c1bf55abc4743aae

        SHA1

        b3a4011b551ffdaed8c19a0d14ecac25e074934c

        SHA256

        2f3ef2445f92f679f6f8d16ebd8643d3d1fadb2d2be0e3d80ad3f8f214eceecd

        SHA512

        cd05c7d451b30357f19b0f81326ce226ffbe44efd2b1bc998e4afa2a17f58ea8394d950f0bc37573bd5b0be0fdedebba7c2868e98b306e4afdada53c20da0104

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\znwjpvf6\up.dll
        Filesize

        64KB

        MD5

        31dbfa092525549c886f12f54d02a09d

        SHA1

        04fefce326814978d53694c875c1b7257a708398

        SHA256

        c9b4babcbe32a7daee70d1b827af603b2b44da90a6380521777c3a9fa36af705

        SHA512

        bf34f53a9311d68e33d9afdf50ca0714769c6c3ffc474b082c1655aa09431ece639c72b6930b0fe85d83db57f418a7037871f16f3856b194bc84c2752fe964c2

        Download Submit

      • C:\Windows\SysWOW64\f1971.exe
        Filesize

        120KB

        MD5

        bf21bc4774bdbce5c7cef9a05fbd9b53

        SHA1

        3804950dce3b6db85dd15b4bf3f15db4f362f963

        SHA256

        c46ebb3ae103911ccc6e2713ae31961ba09ac5d1e28655f5dbc1450b85bee2ac

        SHA512

        8748661e20fa4527b62637fce20dfa4379a4382a3a5785906f34d08d8c83dbcc8ede82cedce39471d64ed7c180c77864dc472fac4ff87b10364c58e15e56d70e

        Download Submit

      • \Users\Admin\AppData\Local\Temp\laf\miniup.exe
        Filesize

        65KB

        MD5

        8ee98af38e6c1af39891764ca81b2371

        SHA1

        f396faa9927915989978af4e7c3f3168d0c0cec2

        SHA256

        1cdd44dee8cabab8cdfa104eba66e3370ad3f869aaa7bfac5d1f2d9f6f3858dd

        SHA512

        8b401ff22e27d60e3a2b107d823de7190be5b66a5f1737ff5d0b11fa60fc09df19c9d4014f5970e101a58db44146ea3694d6c85d56f1c6907eabb087e66f7277

        Download Submit

      • memory/1252-94-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2676-111-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2676-88-0x00000000003D0000-0x00000000003D2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2676-56-0x0000000000020000-0x0000000000038000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2676-51-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2888-0-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/2888-48-0x0000000000290000-0x00000000002A8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2888-1-0x0000000000230000-0x00000000002AF000-memory.dmp

        Filesize

        508KB

        Download

      • memory/2888-2-0x0000000000250000-0x0000000000252000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2888-165-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download