Overview

overview

7

Static

static

7

0c1a7a5faa...e0.exe

windows7-x64

7

0c1a7a5faa...e0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 18:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0c1a7a5faa0487abdb5f88fc26a89ae0.exe

  • Size

    30KB

  • MD5

    0c1a7a5faa0487abdb5f88fc26a89ae0

  • SHA1

    93f280ac59cd3757d5f0b09b69107eb7c2a71e77

  • SHA256

    cf6ce04918f2a7ff5a352134145f6ffc0d1c28033cd342237b94089bafd9292d

  • SHA512

    f7d6b7d021b89bd5f695e7d13560e80faadea91fafdaef5ef39323dd509abfdf5188dcbf644c68ad0245bbe00a4e8e1876ce7c9870da0c6f6e35bef90b126ff1

  • SSDEEP

    768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEF8Rv:SKcR4mjD9r823F8Rv

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c1a7a5faa0487abdb5f88fc26a89ae0.exe
    "C:\Users\Admin\AppData\Local\Temp\0c1a7a5faa0487abdb5f88fc26a89ae0.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2116

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\aGSKKUJl8c2WdFB.exe
          Filesize

          30KB

          MD5

          47650980f897ce4562e2ad60792dc6de

          SHA1

          684dba39921f18f193f08387c8b89369189286b2

          SHA256

          eb12a93520466f28a3fc2fb9f5cd09dfe83968e5ae3691c47193f57d3bd9ace2

          SHA512

          7edaa089e9dc51c12072eae1983afb5e81e4ad01832e42ffd978faebb827c3471640d764ab769ff7ec943007db05a15f40d3accaa99147334bfd776e777fbc72

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          29KB

          MD5

          70aa23c9229741a9b52e5ce388a883ac

          SHA1

          b42683e21e13de3f71db26635954d992ebe7119e

          SHA256

          9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

          SHA512

          be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

          Download Submit

        • memory/2116-12-0x0000000000AB0000-0x0000000000AC7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/3068-0-0x0000000000FA0000-0x0000000000FB7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/3068-8-0x0000000000FA0000-0x0000000000FB7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/3068-9-0x0000000000070000-0x0000000000087000-memory.dmp

          Filesize

          92KB

          Download

        • memory/3068-18-0x0000000000070000-0x0000000000087000-memory.dmp

          Filesize

          92KB

          Download