Overview

overview

7

Static

static

7

08d82241b3...b6.exe

windows7-x64

7

08d82241b3...b6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/09/2023, 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08d82241b3c0ac5eea0e07985696a4927e3acc0272e0d868335137d9b31b6cb6.exe

  • Size

    7.8MB

  • MD5

    a230708ee631d73d420bb7c98e837cd7

  • SHA1

    91d63bf0108e4c039f16eddcfc2fec0f9a54d566

  • SHA256

    08d82241b3c0ac5eea0e07985696a4927e3acc0272e0d868335137d9b31b6cb6

  • SHA512

    22bbbd813ec87f2919b4863c9e169f22a897a44b7b2e36352fa47bec83f4cd36519b46239e75fe90c3ebb32a49f307eb69ef77d43503f878de8aa935db18c103

  • SSDEEP

    196608:Nt2pOCslfeJfqXoHdvCznwBOQj7rFOzp5iv5bDZR1sElzSbrxB8EvW1q33vj+bqo:N48x6pVBOw7sRo

Score
7/10
spywarestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08d82241b3c0ac5eea0e07985696a4927e3acc0272e0d868335137d9b31b6cb6.exe
    "C:\Users\Admin\AppData\Local\Temp\08d82241b3c0ac5eea0e07985696a4927e3acc0272e0d868335137d9b31b6cb6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Users\Admin\AppData\Local\Temp\08d82241b3c0ac5eea0e07985696a4927e3acc0272e0d868335137d9b31b6cb6.exe
      "C:\Users\Admin\AppData\Local\Temp\08d82241b3c0ac5eea0e07985696a4927e3acc0272e0d868335137d9b31b6cb6.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Users\Admin\AppData\Local\Temp\7za.dll
        "C:\Users\Admin\AppData\Local\Temp\7za.dll" x "C:\Users\Admin\AppData\Local\Temp\360Safe.dll" -o"C:\Program Files (x86)\360" -r -y
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of AdjustPrivilegeToken
        PID:628
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C WMIC BIOS get Manufacturer
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4688
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          WMIC BIOS get Manufacturer
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3812
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C WMIC BIOS get Manufacturer
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5032
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          WMIC BIOS get Manufacturer
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4788
      • C:\Users\Admin\AppData\Local\Temp\D184.tmp
        C:\Users\Admin\AppData\Local\Temp\D184.tmp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:620
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\system32\explorer.exe
          4⤵
            PID:2640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\360Safe.dll
      Filesize

      197KB

      MD5

      7a8eea054b013d75c270b06784fafa70

      SHA1

      bab072e99a9851000b5c093ba72773c520620949

      SHA256

      505162f488334afe73bdba1e8a1922ec84b62a95133f68c1c2f57830ea204912

      SHA512

      ac7674d2d0899a3548de455b97f328fa7203ae49def2392b06061f59c697b024fbcf50de18c8c6b610d0f397411d13e798315d1d131d5dd651d4e67fc16f5589

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7za.dll
      Filesize

      637KB

      MD5

      e3c061fa0450056e30285fd44a74cd2a

      SHA1

      8c7659e6ee9fe5ead17cae2969d3148730be509b

      SHA256

      e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa

      SHA512

      fe7796b4c5aa07c40aa2511a987fed59366d3c27bf7343f126f06cb937bfe7a7d8bd6cd785a7e3dc9087b99973e8542b6da7be6eed4585bd3cee13164aed79b4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7za.dll
      Filesize

      637KB

      MD5

      e3c061fa0450056e30285fd44a74cd2a

      SHA1

      8c7659e6ee9fe5ead17cae2969d3148730be509b

      SHA256

      e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa

      SHA512

      fe7796b4c5aa07c40aa2511a987fed59366d3c27bf7343f126f06cb937bfe7a7d8bd6cd785a7e3dc9087b99973e8542b6da7be6eed4585bd3cee13164aed79b4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\D184.tmp
      Filesize

      416KB

      MD5

      6f0be919061559d466793b7f360266ae

      SHA1

      219e8f25a1323f9eb6569a724ca13720f1afc3df

      SHA256

      459ea02456d7c6a107a1644fd175eba086ba5c18e21d37cc59be02cf16ed8d5c

      SHA512

      fbf1e94a2f1ffccf65783c95cb26ebcd5f997115b0cd18738f28ce39903dd9fb04c3b0d2f5b487c4536c639f6bc9d53b49f71719856e4622d939172a772e7178

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\D184.tmp
      Filesize

      416KB

      MD5

      6f0be919061559d466793b7f360266ae

      SHA1

      219e8f25a1323f9eb6569a724ca13720f1afc3df

      SHA256

      459ea02456d7c6a107a1644fd175eba086ba5c18e21d37cc59be02cf16ed8d5c

      SHA512

      fbf1e94a2f1ffccf65783c95cb26ebcd5f997115b0cd18738f28ce39903dd9fb04c3b0d2f5b487c4536c639f6bc9d53b49f71719856e4622d939172a772e7178

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nscD520.tmp\SelfDel.dll
      Filesize

      5KB

      MD5

      e5786e8703d651bc8bd4bfecf46d3844

      SHA1

      fee5aa4b325deecbf69ccb6eadd89bd5ae59723f

      SHA256

      d115bce0a787b4f895e700efe943695c8f1087782807d91d831f6015b0f98774

      SHA512

      d14ad43a01db19428cd8ccd2fe101750860933409b5be2eb85a3e400efcd37b1b6425ce84e87a7fe46ecabc7b91c4b450259e624c178b86e194ba7da97957ba3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nscD520.tmp\SelfDel.dll
      Filesize

      5KB

      MD5

      e5786e8703d651bc8bd4bfecf46d3844

      SHA1

      fee5aa4b325deecbf69ccb6eadd89bd5ae59723f

      SHA256

      d115bce0a787b4f895e700efe943695c8f1087782807d91d831f6015b0f98774

      SHA512

      d14ad43a01db19428cd8ccd2fe101750860933409b5be2eb85a3e400efcd37b1b6425ce84e87a7fe46ecabc7b91c4b450259e624c178b86e194ba7da97957ba3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nscD520.tmp\System.dll
      Filesize

      11KB

      MD5

      0063d48afe5a0cdc02833145667b6641

      SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

      SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

      SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nscD520.tmp\System.dll
      Filesize

      11KB

      MD5

      0063d48afe5a0cdc02833145667b6641

      SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

      SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

      SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\360se6\User Data\Default\Bookmarks
      Filesize

      3KB

      MD5

      e04876066daba4562e56919fe876d20a

      SHA1

      29195357c65ee1deebf52d1c44ee4e78764638ad

      SHA256

      dd761fc060b9a313c26f68300e5c6f80d9ebc97427ed7b24613337dc52191a81

      SHA512

      63ec3428dca0eb920bbd5f1a4697f6ab3e130d0177bb1a3098be1d7a23db26c1247566fa767b0dbb00341ee2c2d0d65ee3f668a9250b3baf8b42adbbdfd2de35

      Download Submit

    • memory/220-2-0x0000000001600000-0x0000000001601000-memory.dmp

      Filesize

      4KB

      Download

    • memory/220-25-0x0000000000400000-0x000000000142A000-memory.dmp

      Filesize

      16.2MB

      Download

    • memory/220-26-0x0000000000400000-0x000000000142A000-memory.dmp

      Filesize

      16.2MB

      Download

    • memory/220-27-0x0000000000400000-0x000000000142A000-memory.dmp

      Filesize

      16.2MB

      Download

    • memory/220-23-0x0000000000400000-0x000000000142A000-memory.dmp

      Filesize

      16.2MB

      Download

    • memory/220-22-0x0000000000400000-0x000000000142A000-memory.dmp

      Filesize

      16.2MB

      Download

    • memory/220-24-0x0000000001600000-0x0000000001601000-memory.dmp

      Filesize

      4KB

      Download

    • memory/220-125-0x0000000000400000-0x000000000142A000-memory.dmp

      Filesize

      16.2MB

      Download

    • memory/620-117-0x0000000074590000-0x0000000074599000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3920-0-0x0000000000400000-0x000000000142A000-memory.dmp

      Filesize

      16.2MB

      Download

    • memory/3920-1-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3920-3-0x0000000000400000-0x000000000142A000-memory.dmp

      Filesize

      16.2MB

      Download