43bbc3894e89014e018da12303824647970fa14510f646be7fefd038f2e38b96

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Visualizar.exe
Size

380KB
MD5

a0499c528485f98d6f92a1d417abb9ec
SHA1

5143a1ed4ebd77f6c957def9a9967c353f8bce63
SHA256

1df1b7974395702532365b128b157c6f248baa1fce453b45772098aabd92a954
SHA512

2437fb42750182dfec70d6cba86053873abe29357749d3ab89f2e855fbb5734e16ce4d31e7b7cec22b5060cb677cbded78f777cdb006d405a0909b3945b1a227
SSDEEP

6144:Wifrt/9VPG/iLfryD12MXWrQhWXRcSQWCGrikUg1UTab7cwveEF6W6K1A:R/9pG/iLiPXWkjfmekHNcwveEF6WK

Score

7^/10

adware spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	Visualizar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	Visualizar.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tefk3890.dll	Visualizar.exe
File created	C:\Windows\win000.tmp	Visualizar.exe
File opened for modification	C:\Windows\win000.tmp	Visualizar.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4608	Visualizar.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 544	4608	Visualizar.exe	87
PID 4608 wrote to memory of 544	4608	Visualizar.exe	87
PID 4608 wrote to memory of 544	4608	Visualizar.exe	87
PID 544 wrote to memory of 3856	544	cmd.exe	90
PID 544 wrote to memory of 3856	544	cmd.exe	90
PID 544 wrote to memory of 3856	544	cmd.exe	90
PID 4608 wrote to memory of 4732	4608	Visualizar.exe	94
PID 4608 wrote to memory of 4732	4608	Visualizar.exe	94
PID 4608 wrote to memory of 4732	4608	Visualizar.exe	94

C:\Users\Admin\AppData\Local\Temp\Visualizar.exe
"C:\Users\Admin\AppData\Local\Temp\Visualizar.exe"
1⤵
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADDHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADDHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:3856
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Windows\tefk3890.dll
  2⤵
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tefk3890.dll

Filesize
162B

MD5
70461da8b94c6ca5d2fda3260c5a8c3b

SHA1
994bc667720c21257500e29038c1a5f61e25da1e

SHA256
f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee

SHA512
ee993842123fa9b1905fe6b111aca70c1ea3e7f4fefeff889cb803887c6ccdccbc9a8e1025cc98528b7790e973436ac650c733421a168d0cd0dba22141b43179

Download Submit