Overview

overview

7

Static

static

7

389328c292...fa.exe

windows7-x64

7

389328c292...fa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    389328c2922d87537aefbde82eff63fa.exe

  • Size

    30KB

  • MD5

    389328c2922d87537aefbde82eff63fa

  • SHA1

    9761aa1cb752c3d908d4c7fb1a99cbdec4cb6111

  • SHA256

    98b8d69c66b80ea0dd19edf9f02fabd090d8d0f36a3e1ecdf480c5bba17bafc9

  • SHA512

    80fcdfb577424531807e4f913fb92b8b06706be8f4670de3f2007c40abc662428b6783a129167542fbcb312db6845a53c5ba96c0204d87dc587c3f58fbca13a6

  • SSDEEP

    768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFg:SKcR4mjD9r823Fg

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\389328c2922d87537aefbde82eff63fa.exe
    "C:\Users\Admin\AppData\Local\Temp\389328c2922d87537aefbde82eff63fa.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
    Filesize

    352KB

    MD5

    053966879ac49206d0c25f5e472d03c7

    SHA1

    ebcfe3fe1d4fa9cd504ffe083ac2a0c9dabfa229

    SHA256

    e793eb4c8dd015d2181ec702179d1dd93e7f40342867e348f8e2109ba6539aaf

    SHA512

    dda0aec454726b37cd5a05a50047e9fe1017f9675389587c42fc790a00602fe4245805d98ab66952cdfe5a51c6ed26029e1cbb9df03a02725ac7e2dd1cd05b75

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\b2IDXmOsJne6kgr.exe
    Filesize

    30KB

    MD5

    1924b17e5abb8f503ff16a578c486ad7

    SHA1

    2386f250a08b17398555d75e61c4fffe5aff0584

    SHA256

    1c5a3e07fa3fa04156b08c9e10f71a306524458739104691180f0072929e913d

    SHA512

    a57f8a6b69ba62138f1d7f3e1062f0c7779bdf9a515a6e75a9d4774e4bcd16078538655436f429dc51e217939ec4ef41da803717690d4e510d97a49453a87585

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    29KB

    MD5

    70aa23c9229741a9b52e5ce388a883ac

    SHA1

    b42683e21e13de3f71db26635954d992ebe7119e

    SHA256

    9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

    SHA512

    be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

    Download Submit

  • memory/1320-8-0x0000000000970000-0x0000000000987000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1320-32-0x0000000000970000-0x0000000000987000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2348-0-0x00000000008F0000-0x0000000000907000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2348-7-0x00000000008F0000-0x0000000000907000-memory.dmp

    Filesize

    92KB

    Download