Overview

overview

8

Static

static

8

4d18734b08...12.exe

windows7-x64

8

4d18734b08...12.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    187s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 19:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe

  • Size

    175KB

  • MD5

    4478d63bfa4ba7eedfbbdbb01e675286

  • SHA1

    c90eaec956002d5ddfcd7b2ce0510ee93fad8290

  • SHA256

    4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212

  • SHA512

    995b0da360ba473fa77a2d5d532e96f336c0987392e0af8e3f745a6dcc1924246d7f95500b1ad91655b72a70acab16a4ba2a3ed399de56c1e23302d48f412369

  • SSDEEP

    3072:JYNQKPWDyaRefVJltZrpRl1P3KflMPp8GvYLT3V7qlqL8jGOQpIPpnt+HT5WQ8Ai:yNSDyaRO1thpMflMPS1TVmML8jBQWVY8

Score
8/10
spywarestealerupx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 21 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe
    "C:\Users\Admin\AppData\Local\Temp\4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1752
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    1⤵
    • Drops file in Windows directory
    PID:1280
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1772
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2292972927-2705560509-2768824231-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2292972927-2705560509-2768824231-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:304
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
      2⤵
        PID:340

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/304-94-0x0000000000000000-mapping.dmp
      Download
    • memory/340-95-0x0000000000000000-mapping.dmp
      Download
    • memory/468-57-0x0000000002970000-0x0000000002980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/468-73-0x0000000002A70000-0x0000000002A80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/468-89-0x0000000003E70000-0x0000000003E78000-memory.dmp
      Filesize

      32KB

      Download
    • memory/468-92-0x0000000003E70000-0x0000000003E78000-memory.dmp
      Filesize

      32KB

      Download
    • memory/468-93-0x0000000003ED0000-0x0000000003ED8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1752-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1752-55-0x0000000001000000-0x0000000001055000-memory.dmp
      Filesize

      340KB

      Download
    • memory/1752-96-0x0000000001000000-0x0000000001055000-memory.dmp
      Filesize

      340KB

      Download
    • memory/1772-56-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp
      Filesize

      8KB

      Download