Overview

overview

7

Static

static

7

Policies__...23.exe

windows7-x64

7

Policies__...23.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    153s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2023 23:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Policies__and_requirements_for candidates_during_the_term_of_the contract_Salary and _ benefits_list_2023.exe

  • Size

    70.4MB

  • MD5

    38739fdf925c3176f44c664f8ec36b88

  • SHA1

    c06b8b5224b129f39957d3072c619a52bcabd4e0

  • SHA256

    7579bea10744c76ff0a36331dee902c4b7cad701515b3b20817afa569322ae81

  • SHA512

    3a097e6e06c00201e27e116b64c8b5442591f5afca9c6e75c269614d274fd703c3ebdfac67442d1ace8b8eeebfbbfb56d9edfe90f1565d6716102dd8be3e9fc2

  • SSDEEP

    1572864:9rIQsGtBepKQIQxt4EHSEf7/JLFDf2UkjxCI7LL:RIQsGapY8t4Ebz/ZFDzIz

Score
7/10
spywarestealerupx

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Policies__and_requirements_for candidates_during_the_term_of_the contract_Salary and _ benefits_list_2023.exe
    "C:\Users\Admin\AppData\Local\Temp\Policies__and_requirements_for candidates_during_the_term_of_the contract_Salary and _ benefits_list_2023.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\param.ps1"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Public\INDITEX2.pdf"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    755ef3c104be9de61ceed82eba3399a5

    SHA1

    9e5672693471630c436dfc8631edb4df8fc13b38

    SHA256

    4983904186f83b10f30232d8e2d015e0cc54f206cfb76412545a04759f93a2a0

    SHA512

    6f100c7edab127177a8a9076e17168f3e27e0e38f4c480208f1fbfa475033bd76dc6a009c12874031bda0b9ef1462d9497b2f4856f6793a7deec2a9f3bdec920

    Download Submit

  • C:\Users\Admin\Desktop\Google Chrome.lnk
    Filesize

    2KB

    MD5

    72ae103285f59bc55243157127c8c712

    SHA1

    4fb4c547c86536618500bee1b62d892fdc68fdba

    SHA256

    8b805d3e293e28a176abb75208973555f826862e77119b3b21861245a1eda123

    SHA512

    62412e2d927d4960960f7b1dca875295331897ecd5da85869004b4d34d429b437c7ef6084c17b6f19a53b0ee0220dbc6b770756fab29b717236a10cd97ee6321

    Download Submit

  • C:\Users\Public\INDITEX2.pdf
    Filesize

    72KB

    MD5

    fcf4e0ff23405e66ca3b84ab492f4cd3

    SHA1

    b37572379db0b7cb97ce14ed53e64e78b2d0366e

    SHA256

    864ca03a33d39d206a848980b9ed7418f1a1ec474b94c76046c9ed1ea348ed1b

    SHA512

    5791aa2eb35fcee4140874443c7f5782f313e44bb765e2d90fb1c47b75325597aeeabdca6c5aedfb20d78dffcd1b27a2f7dda11e7db0a2127da8747eb63de398

    Download Submit

  • C:\Users\Public\param.ps1
    Filesize

    148B

    MD5

    49e913c2174205f601ed77ffccaeeac8

    SHA1

    156c9afd6f0d15f54c1d296dbc195b51abacdfc7

    SHA256

    ab95f377bf7ae66d26ae7d0d56b71dec096b026b8090f4c5a19ac677a9ffe047

    SHA512

    f5b6ea396ace58345c4bde831b0249557b7cbea77f799bb6c2b1c35c080230d98b98e12ee6d8938655e047d0b0f2f6ecb7466d36e7011743b83174fd8650d369

    Download Submit

  • \Users\Public\Libraries\libEGL.dll
    Filesize

    5.0MB

    MD5

    84b785b443b44521f02576019a56392d

    SHA1

    9ce93d97a8f88d25c27cc1f45605a9d5ff793c41

    SHA256

    e4f1e119c92ca070a8620302573cdf59b8591dca30fdeee70e78ec1c29832ab1

    SHA512

    6ad9e84595c249cbafcfbe4e1c06206fce69ddbcab97011fa2b407de93686387a5373d61e17144032c7d095684bc8491d4436a1073cec2b08d8a485adcb6972b

    Download Submit

  • memory/2908-22-0x000000001B260000-0x000000001B542000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2908-48-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2908-45-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2908-43-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2908-23-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2908-25-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2908-49-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2908-42-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2908-50-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2908-40-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2908-44-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2932-13-0x00000000751D0000-0x00000000756E0000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2932-39-0x0000000001080000-0x00000000019AA000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/2932-33-0x00000000751D0000-0x00000000756E0000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2932-41-0x00000000751D0000-0x00000000756E0000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2932-24-0x0000000001080000-0x00000000019AA000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/2932-14-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-0-0x0000000001080000-0x00000000019AA000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/2932-12-0x0000000001080000-0x00000000019AA000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/2932-3-0x0000000001080000-0x00000000019AA000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/2932-2-0x0000000001080000-0x00000000019AA000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/2932-1-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download