Overview

overview

10

Static

static

5

aa4fb51178...12.exe

windows7-x64

10

aa4fb51178...12.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa4fb5117829cc5db055647ef8a25e0c5cadef1032f5b6f84b600cb48d9b7912.exe

  • Size

    38KB

  • MD5

    51b4b6d3139c77d3bb6fe3b6bd7a3651

  • SHA1

    3d75b85da0618a66719a590104692c652b4d91b1

  • SHA256

    aa4fb5117829cc5db055647ef8a25e0c5cadef1032f5b6f84b600cb48d9b7912

  • SHA512

    602a25e4606bc0d3713461af8d82c6b276f072fb38467c24e05258aa487d43925e6b6e5d61eaf38aa9a34aaa84d33939ff1a8240269ee3e998a3c9ffc5369b00

  • SSDEEP

    768:aHpqwkfEY6GmDvRwlNoJfiqFMkBh5e6BXZgB4e:aHpXkfhitgQiqFd5XZgCe

Score
10/10
adwaredefense_evasiondiscoveryevasionpersistencestealerupx

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 2 IoCs
    evasion
  • Drops file in Drivers directory 64 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
    defense_evasion
  • Loads dropped DLL 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Modifies WinLogon 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa4fb5117829cc5db055647ef8a25e0c5cadef1032f5b6f84b600cb48d9b7912.exe
    "C:\Users\Admin\AppData\Local\Temp\aa4fb5117829cc5db055647ef8a25e0c5cadef1032f5b6f84b600cb48d9b7912.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe mdhash.dll,mdhash C:\Users\Admin\AppData\Local\Temp\aa4fb5117829cc5db055647ef8a25e0c5cadef1032f5b6f84b600cb48d9b7912.exe
      2⤵
      • Modifies firewall policy service
      • Drops file in Drivers directory
      • Deletes itself
      • Impair Defenses: Safe Mode Boot
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: LoadsDriver
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 760
        3⤵
        • Program crash
        PID:1740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\mdhsh.sys
    Filesize

    8KB

    MD5

    fa1af74ab17b5d7af7b56f46f09108f4

    SHA1

    5e98d7e2e2b59799bd6a05c4a7e9fab34bd883d2

    SHA256

    86b7e650f323db5dcb5ccbaa43e84513871f7fbdb65d6314a386d09920cf5112

    SHA512

    88ddeede18cf67f4e3f44cfe738a37f746f53417c0f475b9a525347e73dd02e637a915142d0cc04d01444f08eee2d28f0f42fda369bcc16cb956f894b9898f99

    Download Submit

  • \Windows\SysWOW64\mdhash.dll
    Filesize

    21KB

    MD5

    74e66a253e1903eb5a7846d46ff534f9

    SHA1

    538ce4817faf657f30fc91c9faaa33cbce9f04a3

    SHA256

    17d466513173ae8a905996505a652b38d3fc5958d681663482f6c9e6245e7291

    SHA512

    bb610538c1ece66ef0f891d810fa1de80d81cbc3fd173845f4aa0dd1a99bd83bc3a6de8563af845e813b445182d5f007e8f9d67940012239131155a107a6930b

    Download Submit

  • memory/2092-0-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2092-7-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2092-11-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2092-10-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2580-17-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2580-19-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2580-18-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2580-20-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2580-229-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2580-231-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download