Overview

overview

7

Static

static

7

03959826a0...6c.exe

windows7-x64

7

03959826a0...6c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03959826a04eb1abdef5b0048c9cb96c.exe

  • Size

    691KB

  • MD5

    03959826a04eb1abdef5b0048c9cb96c

  • SHA1

    1a0a1246025816c2209358e257fc301f08b32741

  • SHA256

    ddaa45fea6829db2552f231cd2ae98d09a8edfd8b64ccf8cb9996b41441adbd0

  • SHA512

    2577394efdddf96110db9d13334c7f53b74e288eb28df45a245e3928d1d4c046c89117e0a322e8f5a1a00cae1201ea6b43a6cb51b34a8233a74eea6f9f43cc6c

  • SSDEEP

    12288:5OOKxDOoRbtBYoukrYHlzoe39DOZVwCNoSzC93W68d/hnoiM344n7NjHj+jlY/9+:5OhH1YFpHFN3BxN9f8dg35nIy4

Score
7/10
bootkitpersistencespywarestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 47 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.exe
    "C:\Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.867D0\ySvI.BAT
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4004
  • C:\Windows\SysWOW64\attrib.exe
    attrib -a -s -r -h /s /d "C:\Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.867D0\*.*"
    1⤵
    • Views/modifies file attributes
    PID:5020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.867D0\Fz6QR.dll
    Filesize

    365KB

    MD5

    e036317f886ebd072b8e460410e41798

    SHA1

    439042c6cccd4ef8a5d6a184ae4f5b89d87c2976

    SHA256

    ed36f4fde26dfeb27eecc4854fc82ea6dda2ee2d021455b9b78e4b7ab2725a6c

    SHA512

    0ccc0ed17ed7af13c5d5dbb4704d258a6e9ba095fe92d9aa3e43194eb10e1ceaa2a29fd74d6584a7282fdedb2ef2bb77be8b716309f3964d6d82d14211f86759

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.867D0\iext.fnr
    Filesize

    74KB

    MD5

    37adc90bb984551751410d9e4012721b

    SHA1

    c1834985a3c52faf383d35e483644b116cadf706

    SHA256

    7ef60380175aaf88552343f8068f58e7d7fa3e4285ca3ef10ccdbc4e60b7978b

    SHA512

    618de79dc8fb1789a5e80d79a868b9c8d8f4212beff8a7c84cfbe433bc36b59f1a7baf9f8e7f8398b2d69fe461047557cc0b078a75fcdab172569e9846cc7be6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\03959826a04eb1abdef5b0048c9cb96c.867D0\ySvI.BAT
    Filesize

    321B

    MD5

    7766f750c252e6a9a7d8ec1e04481920

    SHA1

    d28cf87472220aab77104c622d5b5cd7b4f34ad2

    SHA256

    55a0d680af8ad786c24c08e6a25701992b82b94bc7451a4014ed004422860fbc

    SHA512

    4360e82f5a30f0b9abc8c0b0cafff7dfd8a9271bb3d49f7ff3fe77a3494265e33395b275fcd31419dc785b02e2038b6026013ddef2f87ab64a18bd3b61fa40b0

    Download Submit

  • memory/4808-7-0x00000000024F0000-0x000000000267A000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4808-14-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/4808-15-0x0000000010000000-0x0000000010046000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4808-19-0x00000000024F0000-0x000000000267A000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4808-18-0x00000000024F0000-0x000000000267A000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4808-13-0x0000000010000000-0x0000000010046000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4808-0-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/4808-28-0x00000000024F0000-0x000000000267A000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4808-8-0x00000000024F0000-0x000000000267A000-memory.dmp

    Filesize

    1.5MB

    Download