Overview

overview

8

Static

static

f2bd8dad08...d8.exe

windows7-x64

8

f2bd8dad08...d8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 06:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe

  • Size

    1.2MB

  • MD5

    a2aad753587a08feeb95e997e0b50b06

  • SHA1

    44e7398af49003fa3d8632519af7910360f9bb93

  • SHA256

    f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8

  • SHA512

    4283eb55e555019e0b6bc8bb6399080a780c648fb02a9778435d2b4fc8eb8369aea291cc36940aad4a3e322af9b87152adc0c297d98e011dc85077709419b96d

  • SSDEEP

    24576:w32K9nTaIi6fKcs2RDCZ3uBs0Sb9m3n7IWOZp46aE9RAW:w3MIimKZ8mBuBs0S58nbOZ1aE9O

Score
8/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 11 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe
    "C:\Users\Admin\AppData\Local\Temp\f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Users\Admin\AppData\Roaming\cpuid.exe
        "C:\Users\Admin\AppData\Roaming\cpuid.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:5040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c dir /b /s /a "C:\Users\Admin\AppData\Roaming\*.dat"
          4⤵
            PID:1744

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\cpuid.exe
      Filesize

      376KB

      MD5

      3f941c126d0b8babc471e0e91c49a5bf

      SHA1

      6f7b63fbdf1bd596a4c87c04a023b6ab75c8b1d7

      SHA256

      357aeae30cfdc314f327d40f9be6e95a7b6bdb2688fe8fc0102a8a19c88c5af8

      SHA512

      ee09f0b1d43055714cd209141454114e190b0e36f16aeeb0b2368f7ff7bb9f6cdaf7b963e57059182121b530dd9f56bfd9077b83cddb522f04e5802ea6045a72

      Download Submit
    • C:\Users\Admin\AppData\Roaming\cpuid.exe
      Filesize

      376KB

      MD5

      3f941c126d0b8babc471e0e91c49a5bf

      SHA1

      6f7b63fbdf1bd596a4c87c04a023b6ab75c8b1d7

      SHA256

      357aeae30cfdc314f327d40f9be6e95a7b6bdb2688fe8fc0102a8a19c88c5af8

      SHA512

      ee09f0b1d43055714cd209141454114e190b0e36f16aeeb0b2368f7ff7bb9f6cdaf7b963e57059182121b530dd9f56bfd9077b83cddb522f04e5802ea6045a72

      Download Submit
    • memory/1744-145-0x0000000000000000-mapping.dmp
      Download
    • memory/2216-142-0x0000000000400000-0x00000000004BB000-memory.dmp
      Filesize

      748KB

      Download
    • memory/2216-138-0x0000000000400000-0x00000000004BB000-memory.dmp
      Filesize

      748KB

      Download
    • memory/2216-136-0x0000000000400000-0x00000000004BB000-memory.dmp
      Filesize

      748KB

      Download
    • memory/2216-134-0x0000000000400000-0x00000000004BB000-memory.dmp
      Filesize

      748KB

      Download
    • memory/2216-133-0x0000000000000000-mapping.dmp
      Download
    • memory/2612-137-0x0000000075270000-0x0000000075821000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2612-132-0x0000000075270000-0x0000000075821000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/5040-139-0x0000000000000000-mapping.dmp
      Download
    • memory/5040-143-0x0000000000400000-0x00000000004C1000-memory.dmp
      Filesize

      772KB

      Download
    • memory/5040-144-0x0000000000400000-0x00000000004C1000-memory.dmp
      Filesize

      772KB

      Download
    • memory/5040-146-0x0000000000400000-0x00000000004C1000-memory.dmp
      Filesize

      772KB

      Download