Overview

overview

10

Static

static

Setup.exe

windows10-2004-x64

10

Setup.exe

android-11-x64

Resubmissions

30/08/2022, 12:22

220830-pj95laacb8 10

30/08/2022, 12:17

220830-pgcfjsgfhj 5

Analysis

  • max time kernel
    99s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/08/2022, 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    5.4MB

  • MD5

    30697215893fca2f6188cdcd7f3ddedf

  • SHA1

    07ebbdfecb6bab757dc71e5d94ddf02756ffb94f

  • SHA256

    37fab777eed6ae75d322c8d57ddb6294a2599daa332041bb093e002904a9e0e7

  • SHA512

    73ff33fb60cbb6dae797e328f5fcc9affaed8412e76fa8307c5f264d5c2178220e7be703821a063ecace1cc635de1c550dcd8342fcb9865541b25825dcae0e47

  • SSDEEP

    24576:34wsvYyY7XdKoFMHUoigrfEjnDnwViw8quVaBfGgzxoRjADVLZDFgyThCl3RuQ57:Iw7S2wAqNBfGgNoRjADV4l3B

Score
10/10
systembcytstealerspywarestealertrojanupx

Malware Config

Extracted

Family

systembc

C2

95.217.228.125:4249

146.70.53.169:4249

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

    stealerytstealer
  • YTStealer payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:150892
      • C:\ProgramData\23013729531437509533.exe
        "C:\ProgramData\23013729531437509533.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4400
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell "" "Get-WmiObject Win32_PortConnector"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5036
      • C:\ProgramData\90269532707311368336.exe
        "C:\ProgramData\90269532707311368336.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4384
      • C:\ProgramData\46403532666670855151.exe
        "C:\ProgramData\46403532666670855151.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3588
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /im AppLaunch.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" & del C:\PrograData\*.dll & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:404
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im AppLaunch.exe /f
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2664
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 6
          4⤵
          • Delays execution with timeout.exe
          PID:2104
  • C:\ProgramData\46403532666670855151.exe
    C:\ProgramData\46403532666670855151.exe start
    1⤵
    • Executes dropped EXE
    PID:1288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\23013729531437509533.exe
    Filesize

    4.0MB

    MD5

    a7bceb417fbb8c136261f3b195d6d7ee

    SHA1

    82f78abd9ffd6298e599e05826cc2ec237758a9c

    SHA256

    3595487037dcf807ce3a99232518787290b0a37e56eb63ee62901929b9974277

    SHA512

    a5ea37145dbd81bc117b527fba56c68d2b7ef4f5f0d1b965cb2525019794403402733a22bf533dbbf6efe58ca0afc9f433c27464dda42d576daa06b6f707a3e5

    Download Submit

  • C:\ProgramData\23013729531437509533.exe
    Filesize

    4.0MB

    MD5

    a7bceb417fbb8c136261f3b195d6d7ee

    SHA1

    82f78abd9ffd6298e599e05826cc2ec237758a9c

    SHA256

    3595487037dcf807ce3a99232518787290b0a37e56eb63ee62901929b9974277

    SHA512

    a5ea37145dbd81bc117b527fba56c68d2b7ef4f5f0d1b965cb2525019794403402733a22bf533dbbf6efe58ca0afc9f433c27464dda42d576daa06b6f707a3e5

    Download Submit

  • C:\ProgramData\46403532666670855151.exe
    Filesize

    13KB

    MD5

    89cb56d6ad669a38a4b234508dbaf512

    SHA1

    e2e7d4a326c0d8c2cf0cd419d7be98832c839f26

    SHA256

    ab971c45e2e31f860ac74d476aee2aeb850a5f4130ca12c6c8110e8c4621aca9

    SHA512

    3d70f41b5fd830be9dda88d3484cb68a42f70e736e5f1ebc6b98303c1f67308a00a9df6b04b647b59e1593a0d4f2c87410c1b4940efa363bbc936693115a8c5c

    Download Submit

  • C:\ProgramData\46403532666670855151.exe
    Filesize

    13KB

    MD5

    89cb56d6ad669a38a4b234508dbaf512

    SHA1

    e2e7d4a326c0d8c2cf0cd419d7be98832c839f26

    SHA256

    ab971c45e2e31f860ac74d476aee2aeb850a5f4130ca12c6c8110e8c4621aca9

    SHA512

    3d70f41b5fd830be9dda88d3484cb68a42f70e736e5f1ebc6b98303c1f67308a00a9df6b04b647b59e1593a0d4f2c87410c1b4940efa363bbc936693115a8c5c

    Download Submit

  • C:\ProgramData\46403532666670855151.exe
    Filesize

    13KB

    MD5

    89cb56d6ad669a38a4b234508dbaf512

    SHA1

    e2e7d4a326c0d8c2cf0cd419d7be98832c839f26

    SHA256

    ab971c45e2e31f860ac74d476aee2aeb850a5f4130ca12c6c8110e8c4621aca9

    SHA512

    3d70f41b5fd830be9dda88d3484cb68a42f70e736e5f1ebc6b98303c1f67308a00a9df6b04b647b59e1593a0d4f2c87410c1b4940efa363bbc936693115a8c5c

    Download Submit

  • C:\ProgramData\90269532707311368336.exe
    Filesize

    18KB

    MD5

    f67f9188455a685c402e44748a9f47b1

    SHA1

    0ed55d3d1227ff4048672ed93df3ad6e096f8031

    SHA256

    f192fa45cf887a5cdfb904df31238c3201879e8c0a0764f18efad1ce3b6ed713

    SHA512

    7b8e7faaba35f25ea9fc85845002d5dbeea5380b54a1c65c8462e6f2ea64ac45290926072acaf89a754c3fe8fe5e013bc7e0a08b8c6adce1d5c626e199e6913b

    Download Submit

  • C:\ProgramData\90269532707311368336.exe
    Filesize

    18KB

    MD5

    f67f9188455a685c402e44748a9f47b1

    SHA1

    0ed55d3d1227ff4048672ed93df3ad6e096f8031

    SHA256

    f192fa45cf887a5cdfb904df31238c3201879e8c0a0764f18efad1ce3b6ed713

    SHA512

    7b8e7faaba35f25ea9fc85845002d5dbeea5380b54a1c65c8462e6f2ea64ac45290926072acaf89a754c3fe8fe5e013bc7e0a08b8c6adce1d5c626e199e6913b

    Download Submit

  • C:\ProgramData\mozglue.dll
    Filesize

    133KB

    MD5

    8f73c08a9660691143661bf7332c3c27

    SHA1

    37fa65dd737c50fda710fdbde89e51374d0c204a

    SHA256

    3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

    SHA512

    0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

    Download Submit

  • C:\ProgramData\nss3.dll
    Filesize

    1.2MB

    MD5

    bfac4e3c5908856ba17d41edcd455a51

    SHA1

    8eec7e888767aa9e4cca8ff246eb2aacb9170428

    SHA256

    e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

    SHA512

    2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

    Download Submit

  • memory/4384-169-0x0000000000F70000-0x0000000000F7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4384-175-0x00000000059B0000-0x00000000059BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4384-170-0x0000000005FD0000-0x0000000006574000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4384-171-0x0000000005910000-0x00000000059A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4384-179-0x0000000005F60000-0x0000000005FC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4400-181-0x0000000000A00000-0x0000000001814000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/4400-165-0x0000000000A00000-0x0000000001814000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/4400-185-0x0000000000A00000-0x0000000001814000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/5012-140-0x0000000000400000-0x000000000058D000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/5036-183-0x000001E97B3A0000-0x000001E97B3C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5036-184-0x00007FFCC2A90000-0x00007FFCC3551000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/150892-141-0x0000000060900000-0x0000000060992000-memory.dmp

    Filesize

    584KB

    Download

  • memory/150892-139-0x0000000000700000-0x000000000075D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/150892-133-0x0000000000700000-0x000000000075D000-memory.dmp

    Filesize

    372KB

    Download