Overview

overview

7

Static

static

7

03959826a0...6c.exe

windows7-x64

7

03959826a0...6c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03959826a04eb1abdef5b0048c9cb96c.exe

  • Size

    691KB

  • MD5

    03959826a04eb1abdef5b0048c9cb96c

  • SHA1

    1a0a1246025816c2209358e257fc301f08b32741

  • SHA256

    ddaa45fea6829db2552f231cd2ae98d09a8edfd8b64ccf8cb9996b41441adbd0

  • SHA512

    2577394efdddf96110db9d13334c7f53b74e288eb28df45a245e3928d1d4c046c89117e0a322e8f5a1a00cae1201ea6b43a6cb51b34a8233a74eea6f9f43cc6c

  • SSDEEP

    12288:5OOKxDOoRbtBYoukrYHlzoe39DOZVwCNoSzC93W68d/hnoiM344n7NjHj+jlY/9+:5OhH1YFpHFN3BxN9f8dg35nIy4

Score
7/10
bootkitpersistencespywarestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 50 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.exe
    "C:\Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.exe
      C:\Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.exe AntiMode1
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.2AA25\Fz6QR.dll
    Filesize

    365KB

    MD5

    e036317f886ebd072b8e460410e41798

    SHA1

    439042c6cccd4ef8a5d6a184ae4f5b89d87c2976

    SHA256

    ed36f4fde26dfeb27eecc4854fc82ea6dda2ee2d021455b9b78e4b7ab2725a6c

    SHA512

    0ccc0ed17ed7af13c5d5dbb4704d258a6e9ba095fe92d9aa3e43194eb10e1ceaa2a29fd74d6584a7282fdedb2ef2bb77be8b716309f3964d6d82d14211f86759

    Download Submit

  • \Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.2AA25\iext.fnr
    Filesize

    74KB

    MD5

    37adc90bb984551751410d9e4012721b

    SHA1

    c1834985a3c52faf383d35e483644b116cadf706

    SHA256

    7ef60380175aaf88552343f8068f58e7d7fa3e4285ca3ef10ccdbc4e60b7978b

    SHA512

    618de79dc8fb1789a5e80d79a868b9c8d8f4212beff8a7c84cfbe433bc36b59f1a7baf9f8e7f8398b2d69fe461047557cc0b078a75fcdab172569e9846cc7be6

    Download Submit

  • memory/672-15-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/672-28-0x00000000020E0000-0x000000000226A000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/672-26-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/672-16-0x00000000020E0000-0x000000000226A000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2780-8-0x0000000010000000-0x0000000010046000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2780-9-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2780-19-0x0000000001ED0000-0x000000000205A000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2780-10-0x0000000010000000-0x0000000010046000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2780-11-0x0000000003C00000-0x0000000003CC6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2780-0-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2780-4-0x0000000001ED0000-0x000000000205A000-memory.dmp

    Filesize

    1.5MB

    Download