Overview

overview

10

Static

static

3

2523464fb2...d3.exe

windows7-x64

10

2523464fb2...d3.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2523464fb225cad5bfec48c4a53c5bd3.exe

  • Size

    165KB

  • MD5

    2523464fb225cad5bfec48c4a53c5bd3

  • SHA1

    bb6909667ecea674fc111ee1e4033c4db5b9ad75

  • SHA256

    9b470c80e4e68217a5b3efe2e6bb3d34d988b1fcaa34105e4b7ae5b1006e4557

  • SHA512

    75d21ee592b84e2d4989f142dfa78f25b2fccf862323dcb1c34c2f015e1e00fbafd6564daf81ee86ea498ffcebc4a568a87c95d8c40b799c041c6a45cce7ed75

  • SSDEEP

    3072:YvSPEflpaJPK6ZNWpfTuLGTg8M86qSyUujoBVbFNpFrKvpTI:+SPEflcPjSpKLtsJjyVbFNmx

Score
10/10
persistencespywarestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2523464fb225cad5bfec48c4a53c5bd3.exe
    "C:\Users\Admin\AppData\Local\Temp\2523464fb225cad5bfec48c4a53c5bd3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\2523464fb225cad5bfec48c4a53c5bd3.exe
      C:\Users\Admin\AppData\Local\Temp\2523464fb225cad5bfec48c4a53c5bd3.exe startC:\Program Files (x86)\LP\AFAA\F1D.exe%C:\Program Files (x86)\LP\AFAA
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 176
        3⤵
        • Program crash
        PID:2688
    • C:\Users\Admin\AppData\Local\Temp\2523464fb225cad5bfec48c4a53c5bd3.exe
      C:\Users\Admin\AppData\Local\Temp\2523464fb225cad5bfec48c4a53c5bd3.exe startC:\Program Files (x86)\AB1EC\lvvm.exe%C:\Program Files (x86)\AB1EC
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 176
        3⤵
        • Program crash
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ACFAB\B1EC.CFA
    Filesize

    996B

    MD5

    ac28ae4295a9f539f4403c2d5a70c560

    SHA1

    51b3d462aa1463fa2960da229c30a294aa60f1f3

    SHA256

    eb8c205413537276faea758b0f690a279420efe3ab5b34d595723054a5bfb029

    SHA512

    9e31629f5db9e532268e81fdefe6245807ff77ac1fbc3ffcaf256d7911f2874f496425abbf2c71d06fccf29c9a055514cde029ec871f5b631ade861594a91240

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ACFAB\B1EC.CFA
    Filesize

    600B

    MD5

    498f3f20925dbbf613b795c5799a44d4

    SHA1

    1431fc4efd0d1e57403906608f9691aeddf633bd

    SHA256

    d9139826825289acea878d706e79685edd9521cc3e4b608e16239a53b35fd468

    SHA512

    bf065afc65198685a22939cc6db70cb267db317fc220c9c8a9f7d9ea2628689f628bbbbc6d3ecfcd982b4829c1b6f3d57458f1b85216a82f9b77dd9da9b3788e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ACFAB\B1EC.CFA
    Filesize

    1KB

    MD5

    11faeea5689327a2f7fd27914ab8bef0

    SHA1

    7f85ce445ca9fd030a94b040f49dd18d53f530b2

    SHA256

    a041a79f7eb1002fb6d6bb8ec076264bb509fd843f2e58bb3f7f00de490b1b52

    SHA512

    cbf1ab5befde85c0a863074a9b767f412d5dcaad2807eb715fbf0074898031c7612db0acc039de5e8ab54c13b5316b5da85ed75dbe3d7e0a38f1ef41d575f3bf

    Download Submit

  • memory/1684-136-0x0000000001D70000-0x0000000001E70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1684-262-0x0000000001D70000-0x0000000001E70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2208-1-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2208-2-0x00000000004A0000-0x00000000005A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2208-14-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2208-135-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2208-315-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2700-12-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2700-13-0x0000000001C10000-0x0000000001D10000-memory.dmp

    Filesize

    1024KB

    Download