Overview

overview

10

Static

static

3

33d4421203...53.exe

windows7-x64

10

33d4421203...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 18:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33d44212038eff8013d649cae7aa9253.exe

  • Size

    174KB

  • MD5

    33d44212038eff8013d649cae7aa9253

  • SHA1

    2aeb195ebfde711b1301cc9e8d7f6e9ef3ad7d87

  • SHA256

    99c86fe1943b34d49b98f320082bcc9be8e9a0a24280ea5bdf839c724b2b8f86

  • SHA512

    9e56e49329da0057ff9229835c681a86769548389823824c701411cc9a05ed1971c88fe8723fd55d4b6727a06e9f7f9a9940971317381c758e35cfdbc75681cc

  • SSDEEP

    3072:c65j3B+CNfYzPvvZ88gCH+S5/946iRBbs7qe756xNcvCupCkkYbJKog6NSLkVF1H:cS2zvZ8z43wRBbsGky7zsVF1IL+tWB

Score
10/10
evasionpersistencespywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\33d44212038eff8013d649cae7aa9253.exe
    "C:\Users\Admin\AppData\Local\Temp\33d44212038eff8013d649cae7aa9253.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2192
    • C:\Users\Admin\AppData\Local\Temp\33d44212038eff8013d649cae7aa9253.exe
      C:\Users\Admin\AppData\Local\Temp\33d44212038eff8013d649cae7aa9253.exe startC:\Users\Admin\AppData\Roaming\15AB0\176F1.exe%C:\Users\Admin\AppData\Roaming\15AB0
      2⤵
        PID:1948
      • C:\Users\Admin\AppData\Local\Temp\33d44212038eff8013d649cae7aa9253.exe
        C:\Users\Admin\AppData\Local\Temp\33d44212038eff8013d649cae7aa9253.exe startC:\Program Files (x86)\B0F4E\lvvm.exe%C:\Program Files (x86)\B0F4E
        2⤵
          PID:2304
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2032
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2836

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\15AB0\0F4E.5AB
        Filesize

        600B

        MD5

        701e981cbc83d38ff76e23e9872b8b59

        SHA1

        481dbd87cb51a7b246f9cdacc858a30916822714

        SHA256

        2b537204057d8efdaf96b5c3d4529500595517c3758054b593d9e4a42abba40d

        SHA512

        5d4fc09e3f8f476c5c0f90f82b8d23c15aeb2ccf5e7971d8faf345d04415760ad1cd83caa958d60023e8b615b62cf5e78767ebb849fc50c6e449880264e5a6bd

        Download Submit

      • C:\Users\Admin\AppData\Roaming\15AB0\0F4E.5AB
        Filesize

        1KB

        MD5

        3da0e321efa3f3274d0ec9e020dcf0b3

        SHA1

        901fcde2a35c4f9d95a0cee61bc46583ef690310

        SHA256

        b5e8a837e534136e8e3d6e61bf4c3ed9f2682a0cc1fcd4355dbce85baf8dcf4d

        SHA512

        db0c7d90768622e1ebfd73e2beb10625fe20336d0b14195f05e14a38fda51f0f8218e45c3e3d3734097c8466354bac03be9893ad0c628fc19732f57eb9b19896

        Download Submit

      • C:\Users\Admin\AppData\Roaming\15AB0\0F4E.5AB
        Filesize

        996B

        MD5

        3ce5a9ba0c0e403f6fcdaa3592f47f57

        SHA1

        4b49b1879b38fcc6c9c53f2f8083fdc0767b22ef

        SHA256

        934254644cc2c7e26b167154bb8201beda77542db1cec3cfbe21f241c9baf617

        SHA512

        c5602e24af5ea4c8a7645a6c3d9c58660f297183e8bea7839da9c038151199a2ef3aecbbcf8b6fc1a89c0f7f937794ba3cf7734e8e9c274131b78559e27f10e1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\15AB0\0F4E.5AB
        Filesize

        1KB

        MD5

        a7fe413e31e9a66a22d97601173b8979

        SHA1

        f803d3e581e246966948deeac85938ada1020ea5

        SHA256

        515305eef1987773f806579b927ade0b7c94904273fa551600b6c754fa95319f

        SHA512

        dc30804cd4dba96cb1c466a2ea7c2695b847506954ac2b4cda9a3d1b57cd953e58874dc8477ea04843af53303830a454cccb7c853c75f41c72b7b11bcf096aa8

        Download Submit

      • memory/1948-14-0x00000000004E0000-0x00000000005E0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1948-13-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/1948-183-0x00000000004E0000-0x00000000005E0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2192-15-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2192-2-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2192-76-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2192-12-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2192-91-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2192-1-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2192-185-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2304-75-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2836-184-0x0000000004090000-0x0000000004091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2836-188-0x0000000004090000-0x0000000004091000-memory.dmp

        Filesize

        4KB

        Download