Overview

overview

7

Static

static

7

508e5e07df...7b.exe

windows7-x64

7

508e5e07df...7b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2024, 12:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    508e5e07dfb90e1ad6bfe4699fa7d77b.exe

  • Size

    87KB

  • MD5

    508e5e07dfb90e1ad6bfe4699fa7d77b

  • SHA1

    2fac850952b7b76a0653e927125d68757392347b

  • SHA256

    5f897e12d160430958187c0f3d1a71b21f2b648c749fff2d321f92b8e9522cee

  • SHA512

    510ed2d8e64e982ffca4516b797992b4b6e52a3d510da8780f83728ebdc6f36970426829c0bdffa25b281fde1fe5ac1fe216301346863ffbc6e4ff58169e05ef

  • SSDEEP

    1536:usfXh6ZNfFyoNCoGEvBlfXyoBncIe+E9WQKzuHkN1MAarP0nnRshPdBteJzYnvt:LfXh6ZNfFyhEp1XyoBncIeeSHqnG0nQr

Score
7/10
adwarediscoverypersistencestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\508e5e07dfb90e1ad6bfe4699fa7d77b.exe
    "C:\Users\Admin\AppData\Local\Temp\508e5e07dfb90e1ad6bfe4699fa7d77b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\TopGuide\TopGuide.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:2664
    • C:\Program Files (x86)\TopGuide\TopGuide.exe
      "C:\Program Files (x86)\TopGuide\TopGuide.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s "C:\Program Files (x86)\TopGuide\TopGuide.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies registry class
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\TopGuide\TopGuide.dll
    Filesize

    105KB

    MD5

    af91dc5eb2f1600a2acce03de4db8161

    SHA1

    3dc31ecc6ab4111d6f265c5a5700091449ae9df4

    SHA256

    0c1113cec21ed5a03fdd50f4602c362a161c55e4681788328624c296e49a70a5

    SHA512

    67f563095432601fddfc181c1fe1b020463c77148f59c8ea9bfade4b9e3392b1b1906b9603a10041d17c75f24265a5a9aa87ce6cda1d64ae356abba69519b3f2

    Download Submit

  • C:\Program Files (x86)\TopGuide\adc.dll
    Filesize

    23KB

    MD5

    33d7115901c7382d911c5e5f28d95850

    SHA1

    e6b5b513626a1afd7285a1a3648912d54e819128

    SHA256

    b6af553defd463dd7d63b3c65b27d81a1ec5bb325cdaf57d3d42792e8d0dd361

    SHA512

    d5f697dad1c37b7b9d1ea30bd400f1900046fedc1c5ea4b9dea9646ea94f43ec81d3dad6f97f8ab2ab97c2804a939f72f903efae4b1e3e6f45b970bf5bf0eeed

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1bacde3df08c7f113e832514253005d5

    SHA1

    806b4afbc514c1c1133e0605ded1e245c03a58e5

    SHA256

    2f47d8db385d2a83b41ed9da30a30375bcc4a189782a4e5319c69c68704d3ca3

    SHA512

    0ea353477f6c0267d14bedad6027b64e47dd9388c0f04af6c5a776b59896d9329ff955536e2a14bf49fdcd1fc074ef2fac78f142fadf6512d2d8f4b38c8d2f6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab8DC1.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar8EAE.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • \Program Files (x86)\TopGuide\TopGuide.exe
    Filesize

    45KB

    MD5

    97a66539f4cdf6f5970d4f3ab62e7157

    SHA1

    32dca1cbc2a1729dae1fba9b66d7221ed8b0b6a2

    SHA256

    d8fd95ab37afabedcd5d6a76785897b70770644ed3ab8a2b274dfd6ed971ea12

    SHA512

    1857d4829bc758b49a4ba7c2e5bf16b7d07c6eebde561829c4a2f850f50399da5ba68026c5ae19332af023117b750abfa39d05b844c2131c4479cdac387b8abe

    Download Submit

  • memory/2912-0-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2912-1-0x0000000000230000-0x000000000026F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2912-2-0x0000000000230000-0x000000000026F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2912-108-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2912-109-0x0000000000230000-0x000000000023C000-memory.dmp

    Filesize

    48KB

    Download