Overview

overview

8

Static

static

d1bbea57c5...20.exe

windows7-x64

8

d1bbea57c5...20.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1bbea57c5b0c7d1b08ff921a1524353c323a7692c6fdc5571979d5104255e20.exe

  • Size

    316KB

  • MD5

    953aa86de9d62d974497010aabd665ed

  • SHA1

    ab184b2ad827c980582bf2399fba39a53904bd8c

  • SHA256

    d1bbea57c5b0c7d1b08ff921a1524353c323a7692c6fdc5571979d5104255e20

  • SHA512

    541d26d65766a6e9ba4737d1d12efd83c37b9f53c32f4bcca8f7ddfacb7af6bd9863ce6de614c6f4f2efdf6efd374969ebee8cc86db88ef914c9b1d68bca04d4

  • SSDEEP

    3072:jImWY8geeqNlkvqGejAOS6p6ZXTedakBgOl0QuXJTYHkjPf0vax8gI5:8mW/Fxl81np6pKDe6Ol0bXJCkDWKS5

Score
8/10
discoverypersistencespywarestealerupx

Malware Config

Signatures

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1bbea57c5b0c7d1b08ff921a1524353c323a7692c6fdc5571979d5104255e20.exe
    "C:\Users\Admin\AppData\Local\Temp\d1bbea57c5b0c7d1b08ff921a1524353c323a7692c6fdc5571979d5104255e20.exe"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\storage\permanent\chrome\idb\3F33.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\SysWOW64\PING.EXE
        ping 0 -n 3
        3⤵
        • Runs ping.exe
        PID:1092
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MrbBtW8LiihJkAFUZeJbQMO+" /d "\"C:\Users\Admin\AppData\Roaming\Macromedia\getmac.exe"\"
        3⤵
        • Adds Run key to start application
        PID:1632
    • C:\Windows\SysWOW64\WerFaultSecure.exe
      C:\Windows\System32\WerFaultSecure.exe
      2⤵
      • Deletes itself
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\SysWOW64\iexpress.exe
        C:\Windows\System32\iexpress.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1600

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Macromedia\getmac.exe
    Filesize

    316KB

    MD5

    953aa86de9d62d974497010aabd665ed

    SHA1

    ab184b2ad827c980582bf2399fba39a53904bd8c

    SHA256

    d1bbea57c5b0c7d1b08ff921a1524353c323a7692c6fdc5571979d5104255e20

    SHA512

    541d26d65766a6e9ba4737d1d12efd83c37b9f53c32f4bcca8f7ddfacb7af6bd9863ce6de614c6f4f2efdf6efd374969ebee8cc86db88ef914c9b1d68bca04d4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\storage\permanent\chrome\idb\3F33.tmp.bat
    Filesize

    300B

    MD5

    592ed2add3179aada852cab72e5a07db

    SHA1

    6d78566c271ba6169ae262d62f2f0b5016a7a96e

    SHA256

    55fb1eada858d4c8f9c69b28703918a6558b75ac4ff1b6899fcbdb28d777bd7a

    SHA512

    8d2675752dab39305ff291af03e7fd5333138a8acdf9be250c0e6d24b3f9b43bc1ded9081f77a8012513e3cea069ecafd965a3f25b84b5ce364031a63c0574ef

    Download Submit

  • memory/1092-72-0x0000000000000000-mapping.dmp

    Download

  • memory/1324-66-0x0000000002380000-0x000000000242C000-memory.dmp

    Filesize

    688KB

    Download

  • memory/1324-68-0x00000000026E0000-0x00000000028A4000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1324-59-0x0000000000260000-0x0000000000270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1324-60-0x0000000000450000-0x0000000000499000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1324-61-0x00000000021C0000-0x00000000022D0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1324-62-0x0000000002040000-0x00000000021C0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1324-63-0x0000000001E20000-0x0000000001EC0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1324-64-0x0000000001D30000-0x0000000001D35000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1324-65-0x00000000025C0000-0x00000000025F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1324-55-0x0000000000450000-0x0000000000499000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1324-67-0x0000000002320000-0x0000000002364000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1324-58-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1324-69-0x0000000000450000-0x0000000000499000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1324-74-0x0000000000450000-0x0000000000499000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1324-77-0x0000000000450000-0x0000000000499000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1324-79-0x0000000000450000-0x0000000000499000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1324-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1600-125-0x00000000000D0000-0x0000000000119000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1600-117-0x00000000000D0000-0x0000000000119000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1600-114-0x00000000000D0000-0x0000000000119000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1600-112-0x0000000000000000-mapping.dmp

    Download

  • memory/1608-70-0x0000000000000000-mapping.dmp

    Download

  • memory/1632-73-0x0000000000000000-mapping.dmp

    Download

  • memory/1672-83-0x0000000000070000-0x00000000000B9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1672-91-0x00000000755A0000-0x00000000755E7000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1672-87-0x0000000076710000-0x0000000076745000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1672-99-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1672-100-0x0000000077960000-0x0000000077AE0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1672-101-0x00000000756C0000-0x00000000757D0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1672-102-0x00000000755A0000-0x00000000755E7000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1672-103-0x0000000077960000-0x0000000077AE0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1672-104-0x0000000077960000-0x0000000077AE0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1672-106-0x0000000077960000-0x0000000077AE0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1672-105-0x00000000756C0000-0x00000000757D0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1672-107-0x00000000756C0000-0x00000000757D0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1672-108-0x0000000077960000-0x0000000077AE0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1672-109-0x0000000077960000-0x0000000077AE0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1672-86-0x00000000755A0000-0x00000000755E7000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1672-80-0x0000000000070000-0x00000000000B9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1672-78-0x0000000000000000-mapping.dmp

    Download

  • memory/1672-118-0x0000000000070000-0x00000000000B9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1672-119-0x0000000077960000-0x0000000077AE0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1672-120-0x00000000756C0000-0x00000000757D0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1672-121-0x00000000755A0000-0x00000000755E7000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1672-122-0x0000000077960000-0x0000000077AE0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1672-123-0x0000000077960000-0x0000000077AE0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1672-124-0x00000000756C0000-0x00000000757D0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1672-75-0x0000000000070000-0x00000000000B9000-memory.dmp

    Filesize

    292KB

    Download