Overview

overview

7

Static

static

7

057f19eb80...7f.exe

windows7-x64

7

057f19eb80...7f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 22:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    057f19eb8090f4fd0249b749f2564a7f.exe

  • Size

    93KB

  • MD5

    057f19eb8090f4fd0249b749f2564a7f

  • SHA1

    1d17e73202b851e1cc4a466ac093196e2307b722

  • SHA256

    2960a2170162b81d3344e4a3ed1abf229c073ea40be0ddf65c3732f38a141bd8

  • SHA512

    ca2d4f57bd103694c678f5ff36a9e4ae99dbfc00513edc7f6ee10ecf9e006fcc9541d21cf293fe05232e0bdf7d2ac7177ea4513b041be50d39af96d8fd5f0022

  • SSDEEP

    1536:SKcR4mjD9r823Fr83hbUu6+UREF58QfMWUfFdSW6DOv:SKcWmjRrz3+tQGjXfLUu9u

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\CTS.exe
    "C:\Windows\CTS.exe"
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1928
  • C:\Users\Admin\AppData\Local\Temp\rHEBikghUK55CVa.exe
    C:\Users\Admin\AppData\Local\Temp\rHEBikghUK55CVa.exe
    1⤵
    • Executes dropped EXE
    PID:1868
  • C:\Users\Admin\AppData\Local\Temp\057f19eb8090f4fd0249b749f2564a7f.exe
    "C:\Users\Admin\AppData\Local\Temp\057f19eb8090f4fd0249b749f2564a7f.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2892

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\rHEBikghUK55CVa.exe
          Filesize

          93KB

          MD5

          21ccba8f2032b075f7f04cdedbaa1330

          SHA1

          4d0c114bd564297e4a986b4a30f0058addb305d7

          SHA256

          09a76430b469bc2929c832f8c3c1f95592c3ed63e62d1130490a6e54c5e72997

          SHA512

          de9e85abc7102d9707c1059a2206cb9f38b835467e24124ba30de48ddb0815363c6a33fa82d8aed35c20fb8b352a7bec869c96b499ef02eb031c75277dc25340

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rHEBikghUK55CVa.exe
          Filesize

          64KB

          MD5

          a32a382b8a5a906e03a83b4f3e5b7a9b

          SHA1

          11e2bdd0798761f93cce363329996af6c17ed796

          SHA256

          75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346

          SHA512

          ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          29KB

          MD5

          70aa23c9229741a9b52e5ce388a883ac

          SHA1

          b42683e21e13de3f71db26635954d992ebe7119e

          SHA256

          9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

          SHA512

          be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

          Download Submit

        • memory/1928-21-0x0000000000B00000-0x0000000000B17000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2892-11-0x00000000000F0000-0x0000000000107000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2892-15-0x0000000000940000-0x0000000000957000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2892-8-0x0000000000940000-0x0000000000957000-memory.dmp

          Filesize

          92KB

          Download