32c01ca819cb302cf494240092ad3aef71737f98935d82b8dbd7a77f8eecb285

Analysis

max time kernel
146s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14b02dbba1ffd0a5662a3a5409b3028a.exe
Size

867KB
MD5

14b02dbba1ffd0a5662a3a5409b3028a
SHA1

a220d5c6c57d821771a2e1734ee564a32d35c0f7
SHA256

32c01ca819cb302cf494240092ad3aef71737f98935d82b8dbd7a77f8eecb285
SHA512

5a8ef01c82be512cd6e63e29d022224b3da5879ace22d21701b2e8f5110e6cd503ff2b84544978f0f70917f8d26fd41e1de09a182c82e415e82a6f0c20e8174c
SSDEEP

12288:U98T9LqpZVjanWq5e+qOtvE22vKKswF40NEFPr7IU5VRVtoSWAg:AU0pPxqFzvevRpXNft

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2864	lsàss.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2092-0-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral1/files/0x00360000000143e3-5.dat	upx
behavioral1/files/0x00360000000143e3-9.dat	upx
behavioral1/memory/2864-14-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral1/memory/2092-13-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral1/files/0x00360000000143e3-11.dat	upx
behavioral1/files/0x00360000000143e3-7.dat	upx
behavioral1/memory/2864-35-0x0000000000400000-0x00000000004DB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2864	lsàss.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2092	14b02dbba1ffd0a5662a3a5409b3028a.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe
2864	lsàss.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2864	2092	14b02dbba1ffd0a5662a3a5409b3028a.exe	17
PID 2092 wrote to memory of 2864	2092	14b02dbba1ffd0a5662a3a5409b3028a.exe	17
PID 2092 wrote to memory of 2864	2092	14b02dbba1ffd0a5662a3a5409b3028a.exe	17
PID 2092 wrote to memory of 2864	2092	14b02dbba1ffd0a5662a3a5409b3028a.exe	17

C:\Users\Admin\AppData\Local\Temp\14b02dbba1ffd0a5662a3a5409b3028a.exe
"C:\Users\Admin\AppData\Local\Temp\14b02dbba1ffd0a5662a3a5409b3028a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Roaming\Options\lsàss.exe
  "C:\Users\Admin\AppData\Roaming\Options\lsàss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Options\lsàss.exe

Filesize
92KB

MD5
931b5978f369a5ae03f171a1be1b8675

SHA1
5968714fb84e196a99d893bc51b0d6af832afc3e

SHA256
a7cd218e70e734227852fcd5a61c795f6c72c86d3339791ac78e86f82b7d846d

SHA512
24adbbdfc2aad86ff39c831fe357e0d3380c290e10dc31cd69b656a4dca96747d87710810269b7214297c0041a8850dfc481b90e7124c473b170ffdaab5dcdb3

Download Submit
\Users\Admin\AppData\Roaming\Options\lsàss.exe

Filesize
382KB

MD5
54334887ba5249925ca8d1157a7ce4ab

SHA1
434a0382c6fa2b7d625803cd84d364407e872098

SHA256
98a80fce81f2c434f57a44328472acad9776e90884a5bc93119b29d16b92db1c

SHA512
360b9baaceacb41c41f041e7ff700b3964606373c49e57c7fe6d550c30b11ce9be620acc1908f1c06b9802aac1231324f84010783a56ff622f98815e1c24c5cc

Download Submit
\Users\Admin\AppData\Roaming\Options\lsàss.exe

Filesize
94KB

MD5
dd0aca95bbe63dfebc41f88916911475

SHA1
8de8a307ece37fa79cc3c559d4edd23e765ee0e0

SHA256
8e35fc2cae9ad45d54876c4045a6ea1acde87699f2cfd9a16a334e0eaa1935f3

SHA512
8518d4a5abab45f707bdb69f6edeec91ced6da000faed3e7417cc1e5dca58ff5e9fcec2e31320ed96b069cf9a2745c05b2d0f72b285098b9bcd89df25faa1a68

Download Submit
memory/2092-13-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2092-12-0x0000000003930000-0x0000000003A0B000-memory.dmp

Filesize
876KB

Download
memory/2092-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2092-0-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2092-4-0x0000000003930000-0x0000000003940000-memory.dmp

Filesize
64KB

Download
memory/2864-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2864-14-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2864-35-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2864-36-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download