Overview

overview

7

Static

static

7

05da2f9e96...c6.exe

windows7-x64

7

05da2f9e96...c6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 22:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    05da2f9e963a09d7ef7e3b36c98a89c6.exe

  • Size

    99KB

  • MD5

    05da2f9e963a09d7ef7e3b36c98a89c6

  • SHA1

    7964821885d27ebda0efcd07cafaeae47dabc351

  • SHA256

    1eff209deda55c2707b955dd68e239bfe788d521ef4ed6f0744cab2d62fe9c2a

  • SHA512

    9f046e0ae83fca69071de32944d86d5530b07c5151dc8d37ba0726a900ce2f9c01f887753d6c2deb226b67e303da2ad1bdc7cbe97eadfcd72a0c74ffaad8a344

  • SSDEEP

    3072:sr3KcWmjRrzSqmuDOVgOS7voA1pBCJbWt:/6qgxvHl

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05da2f9e963a09d7ef7e3b36c98a89c6.exe
    "C:\Users\Admin\AppData\Local\Temp\05da2f9e963a09d7ef7e3b36c98a89c6.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4208
    • C:\Users\Admin\AppData\Local\Temp\758eLY9XRUHnofC.exe
      C:\Users\Admin\AppData\Local\Temp\758eLY9XRUHnofC.exe
      2⤵
      • Executes dropped EXE
      PID:4792
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3860

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\758eLY9XRUHnofC.exe
          Filesize

          2KB

          MD5

          1bc8996b7bd53e0bc7134a17d08d2915

          SHA1

          14514353304aa677cf7228bf74edb616d10d95d8

          SHA256

          8debf1b23e14e702e93161c4bf7b9b4eb6c9652b7986ef3497b0b0e3679e0216

          SHA512

          c92945d5e85b1e1bb98c03c94542a49d01196cabc3dbfeb4534a14d7b9f5755040d9ad09fb99d47cba86eac39e6042da80fc6e38000403f67ccd74cb1520f036

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          2KB

          MD5

          3c34dae420e08d9417477acd2e5df50a

          SHA1

          7c48a2d98d84cc09de1bddc9aa488b3b2506fa26

          SHA256

          070188adf916dc916d013ea8b946c811b6aa37073c5ebfe87d14360e58f0c3c8

          SHA512

          ee8bd3b8bb72835c83052be170ada6040e599687a8ed45dea078a8da640eb4be54dbdffa0ce0762c1d4bbd54c5f8fb6bcd32333ad10893b719bc506223b7d884

          Download Submit

        • memory/3860-9-0x0000000000EE0000-0x0000000000EF7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/3860-32-0x0000000000EE0000-0x0000000000EF7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/4208-0-0x0000000000AD0000-0x0000000000AE7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/4208-7-0x0000000000AD0000-0x0000000000AE7000-memory.dmp

          Filesize

          92KB

          Download