Overview

overview

10

Static

static

3

337f603c8b...18.exe

windows7-x64

10

337f603c8b...18.exe

windows10-2004-x64

10

$PLUGINSDI...nu.dll

windows7-x64

3

$PLUGINSDI...nu.dll

windows10-2004-x64

3

$TEMP/setup.exe

windows7-x64

10

$TEMP/setup.exe

windows10-2004-x64

10

$TEMP/sys.exe

windows7-x64

7

$TEMP/sys.exe

windows10-2004-x64

7

$PLUGINSDIR/Math.dll

windows7-x64

3

$PLUGINSDIR/Math.dll

windows10-2004-x64

3

$PLUGINSDI...es.dll

windows7-x64

3

$PLUGINSDI...es.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$R1.dll

windows7-x64

6

$R1.dll

windows10-2004-x64

6

$TEMP/tcpsrvc.exe

windows7-x64

7

$TEMP/tcpsrvc.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$SYSDIR/$S...1_.exe

windows7-x64

7

$SYSDIR/$S...1_.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$SYSDIR/$_5_.dll

windows7-x64

6

$SYSDIR/$_5_.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    143s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 05:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/tcpsrvc.exe

  • Size

    372KB

  • MD5

    8c706a763e7622b72fe3222ec053d326

  • SHA1

    2ee23255a22f1d42eefbc1fe88f4d82736e6c1b7

  • SHA256

    79b06d3d76b61edfc0d3f48d0189e37ab2245ab169a06cf0aeb815576cdc7819

  • SHA512

    21c36d1c470d71374e4da34cb9b589cb0f6105145509bb4d30187be4e219f34e0f96ed0cd6d1a25cc3e366474e918d5b99a9f5e2c25d610b8f1cf7dc4ba5cbc8

  • SSDEEP

    6144:UzfXbLb6FgXVLFRHCt9sZ+2yrq4jKChDCD3C4wOmwIAhd2GBEfQhItk+/D0kNVTC:eHeFq/HCA4h1FWCFDA/2GcOYN5WZYgKc

Score
7/10
adwarediscoverypersistencestealer

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\tcpsrvc.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\tcpsrvc.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer Protected Mode
    • Modifies Internet Explorer Protected Mode Banner
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\xekuplatzoctztxg.dll"
      2⤵
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2824
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    578aceca6a601f2a3fa7bab01b68c46b

    SHA1

    1f8c1d858f947de25c6c09b6ddc0cfba9fe27210

    SHA256

    2d939fb1516be898f75bc1b5adbceca633ce429c00ec7acb0045087ccd150502

    SHA512

    678ffa7cd54ddfdecebeaa58726f9810da1eec05f8f79591b5e57b6f5b72755ae975e969466249a784db9dbc6528172235b3bb8fa33725d442bdcaf68eb9b7ad

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7615da927bf654c4d6497453d5df41d6

    SHA1

    e2a4d52d90a0a4ed6768b5f6939769229281c0b7

    SHA256

    4acf7f4cd903a3f033dc0949ae86d70d6576b54a9ade907e18519a97396b6e3c

    SHA512

    3132260186e4656abe3f9b0ce230cdf380f3894e51525b8a3ced9403bcc6c2fc7c75bb5ec998ad396c03ee8707148526a187e29fb811cd3ce2823a79b5b57776

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    aec2ec5712ee2c0bf59dbbd4ca71be63

    SHA1

    7b37fdfa4574d8d28deed68fe12a4c44102d4362

    SHA256

    b5e6c631786b7b37e006fbe479e913481ca03fd6313d3f7e5fc24d300d32efb4

    SHA512

    f9544eebb93c9c345c367a5cdaf51850f13ec4bcf1665ebd22b61e5e4706632028d3207fc3abcc719f4854815815fe89cf07c93dac3a4ac7feb85f5aeefdddfb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1193274709d57cf7cc69665e80fe097b

    SHA1

    f72c13ab488e6bed114e4a336c66522b3c4b1c80

    SHA256

    929204599453fe98b84b02cfe79df1efa90954676595ddae60190ccf6e14e192

    SHA512

    f522c47877e27660535856e5c7792b729ffef46053e545e868ada0070fa3582988040220ce57538415da2e27512d9ff95b87c767d5cc74af8f89dc4699ca5d71

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7b34e444da634b31a555e67d1db283ad

    SHA1

    5fe104ce5176050f9400012bd6fdafb2430dd60c

    SHA256

    91f300576c4a2923c2af8f9fac9aa03a2023bf92205f6bab410a9af0b48813b2

    SHA512

    73c2f72ee646c4231ab68c91bd809555227af602fd6b611a056ebfe1f5818163c234d3d26c1b9b77be5f7c053e43fe4d1f2f28400370694a3f0218de96bfee31

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c246c32d5b761c299808e5a74b114374

    SHA1

    5ef0322d12ab00c005d355f683d84176527c9d5e

    SHA256

    cd357e323d2d4fc58bf93e5d1b50cef6a5427dc41e2ebe2117b70a009965e47e

    SHA512

    996fa5275cde56cfa20abcad86a1d831adce42df9a6bf668f38c82798dfc4e251973ce832be88d9667e9e38c94bda0398b265e26666dbfa192c1fd2f0c03529a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    def0749a37b42f12848bda0f041ee449

    SHA1

    93b3e52987a71087d950ebfecfde16b70e8e8395

    SHA256

    fd10ee9eed9df6ca2d8433ce4ffaa34bc7d09a45926ff30ae6a1c83f08788d37

    SHA512

    efbcea0605659f6f33881a8aa03ca8362535183b8485b2c3402f9e3cab294de8ccd05727278129dfb3de89fc981dc6c1366db2ba41de97b942daf4a8c4078c14

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    42a4f10533dbb0a671d375b2cd9a1546

    SHA1

    8847c9ba38b12a962446863aad675b1a89174a90

    SHA256

    dc62a5819e8e9921bc253e1e4c0eddc1e895985d33ae95aed7fa2d0d9fbb8be5

    SHA512

    e4002eb2a1451c0e5392c5e9ba48d9bb10961735ecb80a695f7e9d3d557eb7e01dd2d5607a9c5f931511a97b090cc7a1f8037caf6e0766cd946fef3064386520

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    392f845fce09cfda3b93da63afc0f2b0

    SHA1

    8418c41ab8518eff54e1cee27a996a48be6f4fa1

    SHA256

    3e47a7fb059aee3733fd9bb4737c622b4d405ed402580f333a5a9853c7955e64

    SHA512

    62122fc02d66ffd5419322c3c677f736430230b2b793da1e037c9c829dd38c9e8bfc1db97037b2e175ec19eaffd12a6764ad169715ad2f541ccecac68e337ead

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e486aac2cfadce0e14edbaf6fd4ef41b

    SHA1

    ae35507422e0b06ea83178e9e91d0e93e5d16545

    SHA256

    8c3a89385726a1da87f26129e91747f54a66d50c6e7ae955097993ea0dd341a1

    SHA512

    fd8e973663931c7b83e62e7c1bd3441b0765975229dbc7584458c9e6e3f2a60566ea7eed9369f01accf180e1e20afa3cc43cf6b255dd6d128a0bc72f5f93921d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c636a7c0e4f7c6df4047a27c680ae9b2

    SHA1

    b61b723c10ce6ef8ba8b44c51f5648bcc7553000

    SHA256

    b58e87f74e4661d9dd6771df123219fb6da1a8a094fd336d4aa88f88c0dcabb8

    SHA512

    550810082098ca74c22f01dc80bf9d32e989ec337850800aab72b612933f0aba719931a5c7d9f8c821243d75eed96342ff7200512bde0839e7bca8fb1df8785c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4ba0a2b3115124e328f2a0a728f0efe3

    SHA1

    6f8ae8d23b98d8166727e7890223b3cec0e8f3e3

    SHA256

    70d40075dfc3783c4ef7ffb24085d7544519359f2d4b6c69c57381a192ca9cb7

    SHA512

    225d1bde86b6cfadf3ea51b2ac92a4d47b43e303fec3d8d6d9aa7f75dc5c9214b0a1d1093bb821147e8c90d588d5ccb37872e87bbc4275b91d71b13f2f6c6c98

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    491504ee2d5adab01973d04808fbde57

    SHA1

    17ef6e4255404f91f0ff0264097defb7f57ef374

    SHA256

    e03a8b3213b49534025f1a913ef4e2eb6f33f90acf384cc5524c8690891a3477

    SHA512

    cfb5d4b2c851c73e95895d9402b834a5f4df7e9c58daf69fc6ee07d79ecce949c33356e969d6c89302152486615fb0ae51d53606a9ea0620ab8c2c598e8a8510

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4500108e8f436e039cdc3a14443bbb8e

    SHA1

    cfb1d86f1d242f1dedd9c275be7498a8e3039124

    SHA256

    27fd858d94092b893e9391f8c52408ae04daa6eb60e62975976a938c163d24c8

    SHA512

    e3e7d4b85cd86c0ff9158274a3e1bf5b6d50f7f46fa94ecaea7ee78bc72972feeb30c1a955afed6bdc126fc2af86dbe279554a797c617004c73ca1878ce326ba

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    663a2e0537879d18443b007043c802f1

    SHA1

    f066dc6f34818231fac597b09ca4c76d624dbcc3

    SHA256

    8edde811d97a676e81befae954fa9f15bfeb2a3f213248c963411072f537d0c9

    SHA512

    2b0fb2ac92f828d51a87f2ffcc901260a9641c670e33c8ca2f996c3785f5a0ee51f777ea98188c4caeafd9027bd5c6a0d2076e340b18d3674ed08d0264e69786

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cb15bae424f289743906f2d557ff97ad

    SHA1

    fca76b1bf9767ba2a413ae95396404ad514a996a

    SHA256

    74f16c8fcba44404ad6bb4145929ba075bdf205f2a08fda0138d2d9d5d4b5697

    SHA512

    bbef135267c4a4929238773bae448bb11b1f9cff5ebb0280ea33c8371450177ac13f4e218ffa7d83b6d78bbdec64566368b31d287f5ed1812fb48d1a5469da14

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d735e2d93605e218de1fe63a52e2dc99

    SHA1

    27599596c151ab6d2b03539c22fc55fd6d142efc

    SHA256

    30d5c67b4942f42b261891d49b023b407446d9f45c744865c1bd7bc856d882e7

    SHA512

    aee8f5ad6c18d352b650f7361000c90d5c5c0ea7c5450f12ad8b640f9369d8031641fa281425b985dc72b9fd15b7e96a838b172b3dfe497a1a0685e81b84de49

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab7E74.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar7F34.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsoE1AA.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsoE997.tmp.dll
    Filesize

    604KB

    MD5

    b8b303dbcda489ce392dd78b9c3088ae

    SHA1

    5fbb5dc212a26c8d995d9fc70aaed84972c81378

    SHA256

    6fc9b661c0be1f1c29943c41125ed6e883576f2714bc9c4738a1098850f5bbde

    SHA512

    551745e3bdf647fcf0c8e0b9d92cb691c0d011382c9867c0d575221cec5c669277d79467d751b37269c5e61d31a9485d9a21c5015db0663b4c9a3639ced96b03

    Download Submit

  • memory/1780-22-0x0000000028DE0000-0x0000000028E7E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2824-24-0x0000000000160000-0x0000000000162000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2824-458-0x0000000028DE0000-0x0000000028E7E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2824-457-0x0000000028DE0000-0x0000000028E7E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2824-25-0x0000000028DE0000-0x0000000028E7E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2824-27-0x0000000028DE0000-0x0000000028E7E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2824-895-0x0000000028DE0000-0x0000000028E7E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2824-897-0x0000000028DE0000-0x0000000028E7E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2824-900-0x0000000028DE0000-0x0000000028E7E000-memory.dmp

    Filesize

    632KB

    Download