Overview

overview

7

Static

static

3

5796dec86f...b2.exe

windows7-x64

7

5796dec86f...b2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2024 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5796dec86f4eb6625513cb62758495b2.exe

  • Size

    921KB

  • MD5

    5796dec86f4eb6625513cb62758495b2

  • SHA1

    34f7e64ec7009b473a427797844d6f644709746d

  • SHA256

    5ce4cef82a94e958c2ca84310c356ed130f3082f0c417e9250c8002defed31fc

  • SHA512

    1bf424995a3ad468f6650741a78c87da37739f42672603c1f3e05fe06a058a2bf25c812c707e5fa24a16c7c22af5171c2c72b17a44cb2b69a05c9ee9564cff37

  • SSDEEP

    12288:V9ORtoNV13bozV+3c0NTMl3JOXdZPbpr+JlLDDY7vvEK9k4nRJ8VdRK9RKzs3QQR:KRtkc0RMlkNZAJlLXzK9k4ncszUsAQJf

Score
7/10
adwarepersistencestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 58 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5796dec86f4eb6625513cb62758495b2.exe
    "C:\Users\Admin\AppData\Local\Temp\5796dec86f4eb6625513cb62758495b2.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3096
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ic.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ic.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4428
      • C:\Windows\SysWOW64\bpk.exe
        C:\Windows\system32\bpk.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1380
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe
    Filesize

    388KB

    MD5

    a4a11139c9dd3e527afefb2ee6e1ae0a

    SHA1

    34fce48f82ffe95309434753f8c1d6ef8d446e3a

    SHA256

    2b213fc0da8e7eeda17870abdfb92464a2433638249e44ca4e8151c9ea63bfca

    SHA512

    1c96e366405f896ed96cc249492cb44136128053989c2fae91fbf6bd5cb496653bcc8639cf6393304f7e2a7d944e147c79d17ae36dfcd118dd97c3760614fc46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll
    Filesize

    8KB

    MD5

    d378077c4990f56608e14a78de56cd21

    SHA1

    c9a35154c55ffc19c64eafb9b5c3247ee81047e5

    SHA256

    6c19801e04b94f5f639d47256d0bd249ac4a397345c76c3b0f3ed78d0fe18f65

    SHA512

    70dfe6dfc7e1b72ab2391303bc65fa9eee970a2545d5dba3c34534d8b3f78326055d53cf3b1afa3a28074a53d80d7218fe727a21e723c7c11c0d34a1517dcf1d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkwb.dll
    Filesize

    40KB

    MD5

    9d7a1226ac7fb251bdc0690ac8082e27

    SHA1

    d75e35a00be9976d59fe9dfc132751abcfa75331

    SHA256

    d1a27632bc87b62967959ea6ca43561be1c86a3cc5199a45d071d305cb9f75a4

    SHA512

    6482067be4ea4cb9f0a99110e518f972e3180d138bf7c1bbd761004e839bb7c313bd5a8a876f4326ee4147d1cf4e36a1e652b9023d0a50af985d9ce4d4ae333d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ic.exe
    Filesize

    1.6MB

    MD5

    6e0c893243e93da0af06c8695dd4fc6b

    SHA1

    baef9efb824971eaeacdf599f9e686e392b28940

    SHA256

    00b3d64c41b8db0a4a7d990e59840e157609467e7dc030555ef944896956cdc9

    SHA512

    d65b9df266e24bb91c9bc17a546eab22a1285f8aca3b138971323b5880fd50020523cf760d1d8fd475ae788bdcbc70fc0ba4e0dc475f96365c716761fe14f36e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat
    Filesize

    996B

    MD5

    466ef24af33f792a246575927fe4c43a

    SHA1

    d5358c38d2494cc667e0afb6591a5688c2e8778f

    SHA256

    7e94f51c3c536c2ff48bdd4e6f11c40a503b083ee651692adb93193f2e30325f

    SHA512

    82cf149372113753acbb7b8e8f077872c6bb8b4a4568ff513b1d437c8a0e7f0f6c37ac9b04bfa32a7d3766ff519ba33bef89bc51bab42a81e9f490eafc75478d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin
    Filesize

    3KB

    MD5

    819d6fa460237b8d8354fed88d138534

    SHA1

    f52fae55cab7dc00e5de45a28a99456db550e38e

    SHA256

    6b8740ce4b0a070a662cb1c85318cb589c10760d1e1610b8ad14a6195a960b34

    SHA512

    5ba03ed46c600415d1fbcb253c8dcbfe67ce4489f75126d54d3f6d6c83d97bd75addae90b1968aefa7406198224f98a56d8904941334dc4d575ae855c37132d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
    Filesize

    7KB

    MD5

    c2945ee5c57f33f8bbb6a4f6d539180b

    SHA1

    64c958603de6a1db225752e9abb87222faf24c68

    SHA256

    b6c83639513169d01356a02db1631e8f28320c8ed0cd9f485d5433d13616f349

    SHA512

    8bdd657d45ed8720c92dad611f5c41c0e8e6602444232ce23b0258a8a8c1b194b1ad6498f25292c29ed7b8deb42b220245130a87f54b34d49dd250fb31f149d4

    Download Submit

  • C:\Windows\SysWOW64\bpk.exe
    Filesize

    388KB

    MD5

    0579a3ade48160490f11e7fd76ac979f

    SHA1

    f50361131af2b98c8e03c5fec0d5e72f4be5ff65

    SHA256

    449d479776f1e6b1cb88fdc81eb88b2dde423e53c648ad19a17d27d82717512d

    SHA512

    a97ef3f04ed4207e369ced8e9f21e31c33051555279736ade7b76494b8177ae13c91942e83e0d58e52b663625bd666897e97b23fe8ef61964e042b7a8d831de7

    Download Submit

  • C:\Windows\SysWOW64\bpkhk.dll
    Filesize

    8KB

    MD5

    a9bce1d47adb3f7779809adc1c04726d

    SHA1

    265b2cd93ba894477c6a9d45b0c9ab65ea88d3b4

    SHA256

    8f70fee209f1ff4fde13b865618751e3c8cdfb454bb1b964f07c9af90e69be94

    SHA512

    ea6b0d8f2c0768c6e1e147c132c24a085c4174fb7ec565d23c774bffebae28c53a2ab60d3d279879a42f904cabb4e5268e767a44773eac648721335817fdacdb

    Download Submit

  • C:\Windows\SysWOW64\bpkwb.dll
    Filesize

    40KB

    MD5

    f5cd91b683eed55da373d54fac54d52d

    SHA1

    83665074e3ee67dae8d0d8010a1bb07d3a6c7ef0

    SHA256

    815f893e764eb040fa19e35b66cbc04c469144575039817de0f8548f39f8327d

    SHA512

    57f74a66057472c1ebb28f666e1478797a8fb1a3b37596ba9d99930e6b6bfb98e2bb30329c31d691f75043d286db2b6d77145b6e9f42801f0719aab77712c0d9

    Download Submit

  • C:\Windows\SysWOW64\ezupload.org
    Filesize

    22KB

    MD5

    6574f3058728aed36cb6cee30925a49e

    SHA1

    81bbbd61f489266202ebf9866deb55a33e9610c9

    SHA256

    7ddc02d560e6b5a69e01e1bd16fcb552dee28834fa09c2cac02c80cbdea109eb

    SHA512

    e6c4fa7da5d7b27ab879205ac8002820c72914290235d50d722267eb984063e3da7e32da4ffc1aea406ba0174da3850dd84455a5c5f6e77e045269996e3e0c4a

    Download Submit

  • C:\Windows\SysWOW64\pk.bin
    Filesize

    3KB

    MD5

    048b4a01cd77527e6fa8464d1ce6716d

    SHA1

    f18e077bf9bc65c4b44cc9aff3441b05d170ebde

    SHA256

    d55ae78404aae1e0e1a653bc9991e98dabadfe66114ce4d824490d94f8df8b4b

    SHA512

    d1cab93b44f73a9d4467e215fe7b91e3eb5f4abca853055e5b8333161f377fb70a792c52e62907c442f41aff9601e20abb9af8cf09bb5be5b40004535a8f79dc

    Download Submit

  • memory/3096-56-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3096-58-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download