47a0a0614413a0a9bfa2c7cda4c62ae531e8536935063b700f6c826a385e202a

Resubmissions

27/10/2023, 10:16

231027-ma78jafc79 10

27/10/2023, 09:43

231027-lp951afb68 10

Analysis

max time kernel
1800s
max time network
1803s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2023, 10:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

41KB
MD5

cca1e0b65d759f4c58ce760f94039a0a
SHA1

e8cd0e0bac4271e01693ac513dc481989d43cf1d
SHA256

47a0a0614413a0a9bfa2c7cda4c62ae531e8536935063b700f6c826a385e202a
SHA512

33f1db95b2ba0ac6f485b9865561a9ecf9cfb9bcd2904d3eebb457a3c0a56390c6b8244df5783342ecbcf7da7fe426f750d718cb845d1e9b3093a7957c0597cc
SSDEEP

768:UzgvtFFMV64JurinoIfAlv8/3BXS+Ccrz/bnj4shU:FvV4JvnBD/A+CcXDnMJ

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	a.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/1812-8-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral3/memory/1812-10-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral3/memory/1812-12-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral3/memory/1812-11-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral3/memory/1812-17-0x0000000000400000-0x0000000000472000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.exe\" .."	a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.exe\" .."	a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1004 set thread context of 1812	1004	a.exe	104

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe
1004	a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1004	a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe
Token: SeIncBasePriorityPrivilege	1004	a.exe
Token: 33	1004	a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 1812	1004	a.exe	104
PID 1004 wrote to memory of 1812	1004	a.exe	104
PID 1004 wrote to memory of 1812	1004	a.exe	104
PID 1004 wrote to memory of 1812	1004	a.exe	104
PID 1004 wrote to memory of 1812	1004	a.exe	104
PID 1004 wrote to memory of 1812	1004	a.exe	104
PID 1004 wrote to memory of 1812	1004	a.exe	104
PID 4292 wrote to memory of 4584	4292	msedge.exe	122
PID 4292 wrote to memory of 4584	4292	msedge.exe	122
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2312	4292	msedge.exe	123
PID 4292 wrote to memory of 2164	4292	msedge.exe	124
PID 4292 wrote to memory of 2164	4292	msedge.exe	124
PID 4292 wrote to memory of 876	4292	msedge.exe	125
PID 4292 wrote to memory of 876	4292	msedge.exe	125
PID 4292 wrote to memory of 876	4292	msedge.exe	125
PID 4292 wrote to memory of 876	4292	msedge.exe	125
PID 4292 wrote to memory of 876	4292	msedge.exe	125
PID 4292 wrote to memory of 876	4292	msedge.exe	125
PID 4292 wrote to memory of 876	4292	msedge.exe	125
PID 4292 wrote to memory of 876	4292	msedge.exe	125
PID 4292 wrote to memory of 876	4292	msedge.exe	125
PID 4292 wrote to memory of 876	4292	msedge.exe	125
PID 4292 wrote to memory of 876	4292	msedge.exe	125
PID 4292 wrote to memory of 876	4292	msedge.exe	125
PID 4292 wrote to memory of 876	4292	msedge.exe	125

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\2719794"
  2⤵
  PID:1812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta76fcdb7h892eh4617h9b6eh0449fd6d4ab0
1⤵
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffaeb8846f8,0x7ffaeb884708,0x7ffaeb884718
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,1419095737161017261,7385835753122101315,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,1419095737161017261,7385835753122101315,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,1419095737161017261,7385835753122101315,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0629525c94f6548880f5f3a67846755e

SHA1
40ef667fc04bb1c0ae4bf2c17ded88594f0f4423

SHA256
812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee

SHA512
f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e21ca6bb04212f45583479a0d70b8f9d

SHA1
11347b41191ea614a00d524730b6807945e67568

SHA256
1f9c091f9a4656d4243b594814808a43f896df8d680d5bb3d62bb826ce4e4f75

SHA512
c374024a8cd35e601f35af5f6244e560356dd48d60728a4281677b97b2433e2967736e99eb91c93a0367d4fd68cc683f84647c74076c53b6b80e7fe119543b57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
49bd20f255e0cbe3bacd5e7cb15e576c

SHA1
75c74fc551768f85d8d192fea82bc54ad1e56500

SHA256
fb6d316882a0a43543be1cc33416e1103c6ec7d2888fed4db714624a169cdfde

SHA512
350ee5d737dabf73f2fddcc12bb3e421f491a148e6a069bcf93bf8ca7014ef0b36bc74ee611b1a032cde726199641f7edbf8e692a1eefe5b31d2cbeab7933107

Download Submit
C:\Users\Admin\AppData\Local\Temp\2719794

Filesize
507B

MD5
6d0e849b0647746facd7c73f03b4d366

SHA1
3138201a6608428b922bd86168b51cf80615bc91

SHA256
c2f229ba47f29fccb6d35a908e887bf97e9e87cdb1110e855d5caa39571e5d72

SHA512
3839589f64141ba269f95e2726dd040ee09b6c9c09f5765dcdba847b02f68fa000b588a272f17e73ac42e81b3bb154535dc20da6dce0682b4b3a1ac2daada86a

Download Submit
memory/1004-6-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/1004-5-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/1004-1-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/1004-2-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/1004-4-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/1004-0-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/1004-7-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/1004-23-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/1004-24-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/1812-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1812-8-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1812-11-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1812-12-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1812-10-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download