32c01ca819cb302cf494240092ad3aef71737f98935d82b8dbd7a77f8eecb285

Analysis

max time kernel
163s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 22:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14b02dbba1ffd0a5662a3a5409b3028a.exe
Size

867KB
MD5

14b02dbba1ffd0a5662a3a5409b3028a
SHA1

a220d5c6c57d821771a2e1734ee564a32d35c0f7
SHA256

32c01ca819cb302cf494240092ad3aef71737f98935d82b8dbd7a77f8eecb285
SHA512

5a8ef01c82be512cd6e63e29d022224b3da5879ace22d21701b2e8f5110e6cd503ff2b84544978f0f70917f8d26fd41e1de09a182c82e415e82a6f0c20e8174c
SSDEEP

12288:U98T9LqpZVjanWq5e+qOtvE22vKKswF40NEFPr7IU5VRVtoSWAg:AU0pPxqFzvevRpXNft

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	14b02dbba1ffd0a5662a3a5409b3028a.exe

Executes dropped EXE 1 IoCs

pid	Process
4648	lsàss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5012-0-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral2/files/0x0006000000023230-6.dat	upx
behavioral2/memory/4648-14-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral2/memory/5012-12-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral2/memory/4648-47-0x0000000000400000-0x00000000004DB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4648	lsàss.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
5012	14b02dbba1ffd0a5662a3a5409b3028a.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe
4648	lsàss.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 4648	5012	14b02dbba1ffd0a5662a3a5409b3028a.exe	91
PID 5012 wrote to memory of 4648	5012	14b02dbba1ffd0a5662a3a5409b3028a.exe	91
PID 5012 wrote to memory of 4648	5012	14b02dbba1ffd0a5662a3a5409b3028a.exe	91

C:\Users\Admin\AppData\Local\Temp\14b02dbba1ffd0a5662a3a5409b3028a.exe
"C:\Users\Admin\AppData\Local\Temp\14b02dbba1ffd0a5662a3a5409b3028a.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Roaming\Options\lsàss.exe
  "C:\Users\Admin\AppData\Roaming\Options\lsàss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Options\lsàss.exe

Filesize
867KB

MD5
14b02dbba1ffd0a5662a3a5409b3028a

SHA1
a220d5c6c57d821771a2e1734ee564a32d35c0f7

SHA256
32c01ca819cb302cf494240092ad3aef71737f98935d82b8dbd7a77f8eecb285

SHA512
5a8ef01c82be512cd6e63e29d022224b3da5879ace22d21701b2e8f5110e6cd503ff2b84544978f0f70917f8d26fd41e1de09a182c82e415e82a6f0c20e8174c

Download Submit
C:\Users\Admin\AppData\Roaming\Profiles\56694_passes_3878.xm

Filesize
2KB

MD5
dcf104781b5ec86729232126e81bb3f3

SHA1
367137d3c3792d8299eb6a53900dd58c0ed2d0ff

SHA256
a3dc8dbbf8d1f44f62cd9bff77755862b655d40066c4e646608c063b7686e04f

SHA512
32fe7e681c8e2a270c625b8acc6b76a4ad1b4cf9c317699dda4201e9ce74100b4ea71aa742fd25078d729d1b6d8637d88f6e414ec4d6dace6f907dbee18d06b2

Download Submit
memory/4648-14-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4648-15-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4648-47-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4648-48-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/5012-0-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/5012-1-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/5012-12-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download