Overview

overview

8

Static

static

7

21cda66be5...43.exe

windows7-x64

8

21cda66be5...43.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 00:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    21cda66be5a5a266a6834c4f7c380b43.exe

  • Size

    17KB

  • MD5

    21cda66be5a5a266a6834c4f7c380b43

  • SHA1

    3a4db917567623519a0060737c8108abaec865b1

  • SHA256

    e0e21bfe863806596f9134d366c6ac0570cde94708f823bc5028213ccabb1b57

  • SHA512

    80bffa1ce86cbf35db15551aa395ab885321765f0addcfd93cac9ff629a4d665ede30d747ce88e617c956303fa0c54c3c78f98ee00bbf40584cc5994c1078cb1

  • SSDEEP

    384:2ouG6vcHqnOpe+JztSs8/SoG8EaiV2yqQ6e8vaWUUHcfj:SFcGoxJtSdi87isQR+aWhcf

Score
8/10
adwarepersistencestealerupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21cda66be5a5a266a6834c4f7c380b43.exe
    "C:\Users\Admin\AppData\Local\Temp\21cda66be5a5a266a6834c4f7c380b43.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\ctfmon.exe
      ctfmon.exe
      2⤵
        PID:2444
      • C:\Windows\SysWOW64\ctfmon.exe
        ctfmon.exe
        2⤵
          PID:2740
        • C:\Users\Admin\AppData\Local\Temp\sbsm.exe
          C:\Users\Admin\AppData\Local\Temp\sbsm.exe
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2864
          • C:\Windows\SysWOW64\ctfmon.exe
            ctfmon.exe
            3⤵
              PID:2352
        • C:\Windows\SysWOW64\ctfmon.exe
          ctfmon.exe
          1⤵
            PID:1904

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • \Users\Admin\AppData\Local\Temp\sbmdl.dll
                  Filesize

                  7KB

                  MD5

                  be2073b9da87faf7f160d13d13085f23

                  SHA1

                  aae42996e7675de4ee0c268e618f658913e1e296

                  SHA256

                  7b6b7399b4a64e087fa63ade7b40600f85c5c04d06c72779af77383871b0a2c3

                  SHA512

                  736e49495b93287f19a4ea8c5b841d29a08b4855ac76e7bb786d1afb34f799aba5f048f6f584a58b0f94b19eed986642bacf01ca5a01a356b0b195fd2301ea08

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\sbsm.exe
                  Filesize

                  5KB

                  MD5

                  6fb9ebf6bd26c22d6fc829210e1ad8a3

                  SHA1

                  1f7797c4887c808a0db06bd394fd9d462c286d63

                  SHA256

                  4a404c3c4875b032e4405379d35a0ab52c321de652d9d3ebc179241f43cdab86

                  SHA512

                  78ae674e95c4588fa7f0f6b05d4969f00ae07c5e7237cfbe0be1ee52850a07608ba93be88120c909b47fc8b295bcd0c1e180530acaf0818730bf62fe3663d35d

                  Download Submit

                • memory/2784-0-0x0000000000400000-0x000000000040C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/2784-4-0x0000000010000000-0x0000000010009000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/2784-14-0x0000000000270000-0x0000000000277000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/2784-8-0x0000000000280000-0x0000000000287000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/2784-15-0x0000000000400000-0x000000000040C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/2784-18-0x0000000000280000-0x0000000000287000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/2784-17-0x0000000010000000-0x0000000010009000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/2784-21-0x0000000000270000-0x0000000000277000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/2864-16-0x0000000000400000-0x0000000000407000-memory.dmp

                  Filesize

                  28KB

                  Download