Overview

overview

8

Static

static

3

3c2d81eaee...77.exe

windows7-x64

8

3c2d81eaee...77.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    20s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2024 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c2d81eaee0204ac08594ca6872f1b77.exe

  • Size

    431KB

  • MD5

    3c2d81eaee0204ac08594ca6872f1b77

  • SHA1

    4882168c92b3c1f91e21289436c5f482025b3522

  • SHA256

    e606d4733adf353c8a7bf7d021e43c3920a304538bef46d857df5fd5b64e3dc1

  • SHA512

    2195fdab9a36b177fe8c4518b2e6f0212e546a70ad105f276e826ec5a5db4e2d48a5d1551e0738354444bcc5e23af921b004a4788d57349fcc8d125657c50434

  • SSDEEP

    12288:sQ412eBEXfiDanUdpqjyzyQlPKEEQsd+xB:ZNeBIqoY7plPKhNd+7

Score
8/10
adwareevasionstealerupx

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 6 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c2d81eaee0204ac08594ca6872f1b77.exe
    "C:\Users\Admin\AppData\Local\Temp\3c2d81eaee0204ac08594ca6872f1b77.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\SysWOW64\taskngr.exe
      C:\Windows\system32\taskngr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\cmss.exe
        C:\Windows\system32\cmss.exe
        3⤵
        • Executes dropped EXE
        PID:4428
      • C:\Windows\SysWOW64\wddmgr.exe
        C:\Windows\system32\wddmgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4480
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c regsvr32 /s TEBHO.dll
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2644
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +s +h c:/file.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3656
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /F /im wddmgr.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4448
  • C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s TEBHO.dll
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Modifies registry class
    PID:6128
  • C:\Windows\SysWOW64\attrib.exe
    attrib +s +h c:/file.txt
    1⤵
    • Sets file to hidden
    • Views/modifies file attributes
    PID:5300
  • C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /im wddmgr.exe
    1⤵
    • Kills process with taskkill
    PID:3688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2908-0-0x0000000000400000-0x00000000004F0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2908-18-0x0000000000400000-0x00000000004F0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2908-2-0x0000000000400000-0x00000000004F0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2908-1-0x00000000006B0000-0x00000000006B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3056-7-0x0000000000400000-0x0000000000571000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3056-8-0x00000000023E0000-0x00000000023E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3056-28-0x0000000000400000-0x0000000000571000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3056-30-0x0000000000400000-0x0000000000571000-memory.dmp

    Filesize

    1.4MB

    Download