Overview

overview

10

Static

static

7

2b94c39e7d...f5.exe

windows7-x64

10

2b94c39e7d...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2024, 15:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2b94c39e7defb4dc1a65ab580fa543f5.exe

  • Size

    7.8MB

  • MD5

    2b94c39e7defb4dc1a65ab580fa543f5

  • SHA1

    8a24f1588ba5e72febf72ac23ae9debedabe3693

  • SHA256

    39f7477fcd8c960c14032809dcee2401c8705b2efa30b10085b02513b4f5ee0c

  • SHA512

    e8e58e923c7ff1ec2fd7ef6df6c2f5b4eb787062ad2b430b21fc0529fc28ceee34b45b24466f4cc1b9b8e5b622d136e628396f174a02fd682712ad85bb572f4e

  • SSDEEP

    196608:47effIPEsy58doQaTzwZ8Jq3QKnqVtxQLizl/sJEl2if8sHQoddmbKSyzybq3/TP:47effIPEsy58doQaTzwZ8Jq3QKnqVtxf

Score
10/10
adwarepersistencestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b94c39e7defb4dc1a65ab580fa543f5.exe
    "C:\Users\Admin\AppData\Local\Temp\2b94c39e7defb4dc1a65ab580fa543f5.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Users\Admin\AppData\Local\Temp\2b94c39e7defb4dc1a65ab580fa543f5.exe
      C:\Users\Admin\AppData\Local\Temp\2b94c39e7defb4dc1a65ab580fa543f5.exe
      2⤵
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Users\Admin\AppData\Local\Temp\2b94c39e7defb4dc1a65ab580fa543f5.exe
        C:\Users\Admin\AppData\Local\Temp\2b94c39e7defb4dc1a65ab580fa543f5.exe
        3⤵
        • Enumerates connected drives
        PID:4168
    • C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
      2⤵
      • Installs/modifies Browser Helper Object
      PID:2720
    • C:\Users\Admin\AppData\Local\Temp\2b94c39e7defb4dc1a65ab580fa543f5.exe
      C:\Users\Admin\AppData\Local\Temp\2b94c39e7defb4dc1a65ab580fa543f5.exe
      2⤵
      • Enumerates connected drives
      PID:1660

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\cftmon.exe
          Filesize

          375KB

          MD5

          74068aab92dd040d2729dda2f862147f

          SHA1

          190887d6509f1399674a67a23434993fc38315ac

          SHA256

          10d6e8f38f4562ccbdae7c3206b1fa906ec52261695bf300a800b946c20acede

          SHA512

          094e8d82d145207fd29d8d952fe0e3ba9401652382a78dee18db14a0bbb148b537958a24106212f36791ef848e4670786d667b094f6b1e10e8225629052c216d

          Download Submit

        • C:\Windows\SysWOW64\ftpdll.dll
          Filesize

          5KB

          MD5

          d807aa04480d1d149f7a4cac22984188

          SHA1

          ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

          SHA256

          eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

          SHA512

          875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

          Download Submit

        • memory/1660-17-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/1660-24-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2884-1-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2884-22-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2884-16-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3332-14-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3332-19-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3332-0-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3332-13-0x0000000010000000-0x000000001010B000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3332-26-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3332-31-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3332-41-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3332-46-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3332-61-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3332-66-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3332-76-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/4168-18-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/4168-30-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download