Overview

overview

7

Static

static

3

Given.exe

windows7-x64

7

Given.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2024 21:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Given.exe

  • Size

    287KB

  • MD5

    6b390af9632f012427a933c5eeb7bab3

  • SHA1

    0c9d0ecdecf5345979f69531a21351d010df1506

  • SHA256

    99b03942ece46f958ed08ad90f8429a60379110e9ec0bb412f73e2086bd55b82

  • SHA512

    cc156a2a995f9ca72f9677cf03b83f50b313ca7ddd7074ac8f6b91272482dd0abaaa553a263da4f9b238dcd1cf5f385587eebfd26fdaa9739bdd67d7d8bbd034

  • SSDEEP

    6144:qY94NC4HMKYjliZBVaPagdaTAaHdib8+EAuweqCRoASeaA0AHR:59ONRQlO8CgUbiI+EKeqyoASNAx

Score
7/10
adwarediscoverypersistencestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Modifies WinLogon 2 TTPs 13 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 46 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Given.exe
    "C:\Users\Admin\AppData\Local\Temp\Given.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:60
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\funny.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\funny.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies WinLogon
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4100
        • C:\Windows\SysWOW64\Shield.exe
          C:\Windows\system32\Shield.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Installs/modifies Browser Helper Object
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:4752
      • C:\Windows\SysWOW64\Shield.exe
        C:\Windows\system32\Shield.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Shield.exe
    Filesize

    424KB

    MD5

    b7738881d38973a2911df0099f740384

    SHA1

    c69251bc5d9018bcfdb130747e50402aef38fcbf

    SHA256

    f35abb9868fa3f5abc08e268dd5dd8d618da24f82c4bb5712d8983ec71d02d68

    SHA512

    65cecce4938bd606eb1bfa760e78b584c205b1ef0dd4298054614059805b2e798f64e53de62f2d0c0136fbad9ef80b41e390f1df2121c4b2ebb807efb710ba2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Shieldhk.dll
    Filesize

    24KB

    MD5

    5327c4415efa626a9243886db6442144

    SHA1

    bdd96aa6816c1d7745fca189876fa59d941d9108

    SHA256

    67fb819573b5abb7c964114742872aadf4cfee6f659a3660ea69b9ec0df3459a

    SHA512

    e7162f24f04d63c0472b3a46c8324b45d61813a7dcd6a6d2ddc912c8d9bd26001d1343a72db0037e817592f21f75f3b500beae91ec4b00f9604cf1c58569f5d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Shieldwb.dll
    Filesize

    40KB

    MD5

    9de7bf46169c7cfd40f84a1eca2f8c81

    SHA1

    8597e06bdbc4adcd48769759ae34f4372c8bd650

    SHA256

    b95750b4c39d584f42ab86593218dc412e93379a9365887a0c29adbaf88bd6d7

    SHA512

    69b9aed8e3842c5f65df5860a69a90e0aeaaa73a9162dcfa25988edd8259fa145a4e2592d4176271ddf1f27a627ca67b4954944e2b35b687086f9b8fe8074d36

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\funny.exe
    Filesize

    43KB

    MD5

    5f6a913716003c05bf1f8fa9cf4aefe7

    SHA1

    1e1b87acda7e17d24f70056a8a07bc86566446aa

    SHA256

    04ce4e7a5e0742239f6de10293210037236afc02f107e479bd06eab9b12a773f

    SHA512

    879f0d54b7d3f1589281eee52ba73df6d1de5afa626e180a0c5bb0e9363f3a0dcabb346aa8bb299a4c38ad71c72c7f948be1cb6571e1485d9d55c4020449d66b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat
    Filesize

    996B

    MD5

    67cf2498ce46d30cf0ed12ecb65690ef

    SHA1

    84949af99022504f28661711543d397401d74bfa

    SHA256

    e09293e868ced131640af1607ea84e0c5b65b41ad75129105cf84047cc639140

    SHA512

    5584f93327ced0e7f9968660dd6ba98ebbd397741a99ed9e39b7c17a69d68f0185bc91db959ba39e265cba8a174e4e79cd54b1172b82ed9b5416fbdd37ffaa39

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mc.dat
    Filesize

    28B

    MD5

    ae026441c6c90d458c0aecbb32e037cc

    SHA1

    b0b74157d39a3775219e4b5e4fd71f394be7ea56

    SHA256

    8be1681ae6a1caeefe5d7db21657c245eb5cee85b8f459150366ea31d5642588

    SHA512

    11c2e8c9a0283a6524399d220f60a25148ddda69584018009f97f448b69f5788fe84dccdd8b1edf1bfbc60aea279d6a5e80c12fd413b25dab859af7e3b816f4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin
    Filesize

    4KB

    MD5

    a31c568f0e5f1ee1f42106ce43288217

    SHA1

    0960076b6c107e5882890ddfa97823d7747dcc6c

    SHA256

    437dea9d1cea4936917c6c7a8fa8f8b514fc21acfae81b620be909d908387845

    SHA512

    9d84b420a6dc491ad09fcf772cdea3786b31a01b25309f071b7c08586316dd892deb358755ca99760d20d870f2d5f223035822c687163e7b08be56a6c671eba5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
    Filesize

    7KB

    MD5

    fbe4bab53f74d3049ef4b306d4cd8742

    SHA1

    6504b63908997a71a65997fa31eda4ae4de013e7

    SHA256

    446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092

    SHA512

    d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

    Download Submit

  • C:\Windows\SysWOW64\Shield.exe
    Filesize

    424KB

    MD5

    994ffae187f4e567c6efee378af66ad0

    SHA1

    0cc35d07e909b7f6595b9c698fe1a8b9b39c7def

    SHA256

    f0b707b1ab25024ba5a65f68cd4380a66ef0ce9bb880a92e1feee818854fe423

    SHA512

    bd5320327a24fbab8934395d272869bfa97d77a2ee44ac6eec8fa79b3ffbd4a049bf9dfeeb6b8cc946c295a07bd07ddba41d81c76d452d2c5587b4bf92559e0a

    Download Submit

  • C:\Windows\SysWOW64\Shieldhk.dll
    Filesize

    24KB

    MD5

    9ac9028338d1b353a7cacb563bb91df7

    SHA1

    a20c5dee8f05c91686324cec2d5b092bafe58339

    SHA256

    93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c

    SHA512

    ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

    Download Submit

  • C:\Windows\SysWOW64\Shieldwb.dll
    Filesize

    40KB

    MD5

    21d4e01f38b5efd64ad6816fa0b44677

    SHA1

    5242d2c5b450c773b9fa3ad014a8aba9b7bb206a

    SHA256

    3285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977

    SHA512

    77dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8

    Download Submit

  • C:\Windows\SysWOW64\mc.dat
    Filesize

    28B

    MD5

    12f7379d2501b75a2b168908128de6ac

    SHA1

    a8b96d737c0381a1a2c5f1df4064767aee23d78b

    SHA256

    89466378e197018071714ae012cf09636224a12da88665a73b15c3d77934668a

    SHA512

    0ce89b8d357654e944aac5ac98628a8e6de432f9e3de0888ef6de183dd3a427d87f942e18d0f333451d8b838c429996186c34994ce6f8043800cb34cc005222e

    Download Submit

  • C:\Windows\SysWOW64\pk.bin
    Filesize

    4KB

    MD5

    e602d60f68fcefbc2292e02ab5d55c73

    SHA1

    cc9f6f4969d0704c6d3d83484e590d9e09597270

    SHA256

    97c378880d035f76a1ca207512c45af83e5c8d8c60b14d5b087df4389ef6177d

    SHA512

    0acbe211a2467d07957cd70640d30bc6d7f2a17dd8112c63831253e257bbf4772eb2c23e5a4002662ff11ceb360184da34b8c6bb7cc7d793623f71b6d79dfce9

    Download Submit

  • memory/5104-53-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download