1e825fa83b00fe31560196466ef8ea254fb8811078ba48cb1935db859a75f501

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e9e35e8f32b581013c3945412fc3626.exe
Size

6KB
MD5

4e9e35e8f32b581013c3945412fc3626
SHA1

b9a0bd17a76780683511ef79437affec98f3dd90
SHA256

1e825fa83b00fe31560196466ef8ea254fb8811078ba48cb1935db859a75f501
SHA512

a9cc8727b61f763125508126a6aac60759ab1a0709b8095e4b35f2092e68ef4f77a5c2b9690b93b4f64026239ce21603edd3ed5759b101eab03b13f1e99e9849
SSDEEP

192:QsPS0nd//EsbqdQvTIAEWA+a0uiZkTSyU7zp0nqI8TAAp:QVlsbeKT60hkH8wqjL

Score

7^/10

adware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61234313-6329-6256-7241-ABCE7204AFFF}	4e9e35e8f32b581013c3945412fc3626.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\g_ext.dll	4e9e35e8f32b581013c3945412fc3626.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61234313-6329-6256-7241-ABCE7204AFFF}\InprocServer32\ThreadingModel = "Apartment"	4e9e35e8f32b581013c3945412fc3626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61234313-6329-6256-7241-ABCE7204AFFF}\InprocServer32\ = "C:\\Windows\\SysWow64\\g_ext.dll"	4e9e35e8f32b581013c3945412fc3626.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61234313-6329-6256-7241-ABCE7204AFFF}\script0002 = 04a5aa163483b11e3855e14e2cc5405df70d18056ed4ef8424ecdeb3ae1f2046c95f8d75fc43507cc8	4e9e35e8f32b581013c3945412fc3626.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61234313-6329-6256-7241-ABCE7204AFFF}\script0001 = 04a5aa163483b120b960cf4ea7c5b956fe117385e475e2959bc2a636092daccc620ee200404cd490680c	4e9e35e8f32b581013c3945412fc3626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61234313-6329-6256-7241-ABCE7204AFFF}	4e9e35e8f32b581013c3945412fc3626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61234313-6329-6256-7241-ABCE7204AFFF}\InprocServer32	4e9e35e8f32b581013c3945412fc3626.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2540	2820	4e9e35e8f32b581013c3945412fc3626.exe	28
PID 2820 wrote to memory of 2540	2820	4e9e35e8f32b581013c3945412fc3626.exe	28
PID 2820 wrote to memory of 2540	2820	4e9e35e8f32b581013c3945412fc3626.exe	28
PID 2820 wrote to memory of 2540	2820	4e9e35e8f32b581013c3945412fc3626.exe	28

C:\Users\Admin\AppData\Local\Temp\4e9e35e8f32b581013c3945412fc3626.exe
"C:\Users\Admin\AppData\Local\Temp\4e9e35e8f32b581013c3945412fc3626.exe"
1⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\stam.bat" "
  2⤵
  - Deletes itself
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\stam.bat

Filesize
222B

MD5
8790265568bc5cde415e544ece7c0c36

SHA1
b1715b8a3e1f9083bde223af264032c7e2cf2a9c

SHA256
8b47988c9800d48b12e34aeb94aecd41e667056899f2fa0085bf4c0097948503

SHA512
4246bd75b154d9cfd7890ee8c0fb6cc8f88f014f1e2786528a133a2f7fe96f94824bfa0c6af86a8162d012d3d0e5ec78d65528251a9c6a7a398b4266006e8cf4

Download Submit
memory/2820-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download