Overview

overview

10

Static

static

Program.exe

windows7_x64

10

Program.exe

windows10_x64

10

Analysis

  • max time kernel
    300s
  • max time network
    256s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    05-06-2021 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Program.exe

  • Size

    783KB

  • MD5

    a5ce4452b72ef5e005a652256aa4b842

  • SHA1

    570c2099012673bff0b4bbd8bac54bde38f4832f

  • SHA256

    64b5e1a70578e66ff0c849e4b06a1460065b820970748d4f6a959773aaae122f

  • SHA512

    69d090e9d91861b787e027e4c7dd4d6b500910f92262c4e2e8e9a9fb46b9cfb33caba7d9e0b4e5882adc178028ab7582641bc6625b7561700f3bfcfdf0855ee8

Score
10/10
pandastealerspywarestealer

Malware Config

Signatures

  • Panda Stealer Payload 16 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Executes dropped EXE 43 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Program.exe
    "C:\Users\Admin\AppData\Local\Temp\Program.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:1668
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Password.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1568
  • C:\Users\Admin\Desktop\Автономная Установка.exe
    "C:\Users\Admin\Desktop\Автономная Установка.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\Автономная Установка.exe" & schtasks /create /tn \aeeb4yuu\txgov2no /tr C:\Users\Admin\AppData\Roaming\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:1960
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn \aeeb4yuu\txgov2no /tr C:\Users\Admin\AppData\Roaming\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
          3⤵
          • Creates scheduled task(s)
          PID:2724
    • C:\Users\Admin\Desktop\Install.sfx.exe
      "C:\Users\Admin\Desktop\Install.sfx.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Users\Admin\AppData\Local\Temp\bui3ld.exe
        "C:\Users\Admin\AppData\Local\Temp\bui3ld.exe"
        2⤵
        • Executes dropped EXE
        PID:2416
    • C:\Users\Admin\Desktop\Install.sfx.exe
      "C:\Users\Admin\Desktop\Install.sfx.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Users\Admin\AppData\Local\Temp\bui3ld.exe
        "C:\Users\Admin\AppData\Local\Temp\bui3ld.exe"
        2⤵
        • Executes dropped EXE
        PID:2904
    • C:\Users\Admin\Desktop\Install.sfx.exe
      "C:\Users\Admin\Desktop\Install.sfx.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Users\Admin\AppData\Local\Temp\bui3ld.exe
        "C:\Users\Admin\AppData\Local\Temp\bui3ld.exe"
        2⤵
        • Executes dropped EXE
        PID:2376
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1956
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:616
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1620
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1396
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1716
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1520
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:456
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1308
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1316
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1760
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2052
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2128
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2180
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2232
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2284
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2348
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2420
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2472
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2512
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2780
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2936
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2976
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3024
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3068
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2136
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2388
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1444
    • C:\Users\Admin\Desktop\Автономная Установка.exe
      "C:\Users\Admin\Desktop\Автономная Установка.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {818656FE-64DE-4EF3-A6BC-C6EDEF1063E8} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        C:\Users\Admin\AppData\Roaming\svchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1548

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/456-126-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/616-92-0x0000000004B30000-0x0000000004B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/932-74-0x0000000002400000-0x0000000002401000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1108-75-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1308-127-0x0000000004A40000-0x0000000004A41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1316-128-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1396-104-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1444-205-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1520-125-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1548-210-0x0000000004990000-0x0000000004991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1568-60-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1588-64-0x0000000000F30000-0x0000000000F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1588-66-0x00000000048D0000-0x00000000048D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1620-96-0x00000000048E0000-0x00000000048E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1644-89-0x0000000004A60000-0x0000000004A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1668-59-0x0000000075281000-0x0000000075283000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1684-90-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-105-0x0000000004810000-0x0000000004811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1760-129-0x0000000004A60000-0x0000000004A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1956-91-0x0000000004860000-0x0000000004861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2024-76-0x0000000000600000-0x0000000000601000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-130-0x00000000006E0000-0x00000000006E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2128-146-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2136-200-0x0000000000430000-0x0000000000431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2180-147-0x0000000004880000-0x0000000004881000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2232-148-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2284-149-0x0000000000690000-0x0000000000691000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2348-150-0x00000000043C0000-0x00000000043C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-204-0x0000000000520000-0x0000000000521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2420-166-0x0000000004B30000-0x0000000004B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2472-167-0x00000000048F0000-0x00000000048F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2512-168-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2564-169-0x0000000004A20000-0x0000000004A21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2628-170-0x0000000000430000-0x0000000000431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2668-206-0x0000000004C70000-0x0000000004C71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2712-178-0x0000000000E80000-0x0000000000E81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2780-179-0x0000000004910000-0x0000000004911000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2852-183-0x0000000004B50000-0x0000000004B51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2896-195-0x00000000048D0000-0x00000000048D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2936-196-0x0000000000470000-0x0000000000471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2976-197-0x0000000000920000-0x0000000000921000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3024-198-0x0000000000B30000-0x0000000000B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3068-199-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

      Filesize

      4KB

      Download