Overview

overview

7

Static

static

7

0e05a528d4...18.exe

windows7-x64

7

0e05a528d4...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e05a528d42ff7150ab12e2264c8b718.exe

  • Size

    59KB

  • MD5

    0e05a528d42ff7150ab12e2264c8b718

  • SHA1

    e7e887c1aca6656d3b51fef9120027a6f69d0e0c

  • SHA256

    b05fd1fa8cff567c0999d87cc0827b8aa72a85f0939687bd69310df68d0c581a

  • SHA512

    58f6f5bb68d9d5ba8640d47d87a23e97ba8ef789210bfacb74228be033996251a0b3f5971305d6a8cc458b98b21054c05d32afda3cee80591b54f7910fe56f83

  • SSDEEP

    768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFGocAX3LKew369lp2z38:SKcR4mjD9r823FHKcR4mjD9r823Fl

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e05a528d42ff7150ab12e2264c8b718.exe
    "C:\Users\Admin\AppData\Local\Temp\0e05a528d42ff7150ab12e2264c8b718.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FydLQQII604q9xp.exe
    Filesize

    59KB

    MD5

    ec43affe0d02f5df514e49a3474180ba

    SHA1

    638fa9345624a18ff150994f449c70c2d75085f9

    SHA256

    8ac283b47eb73773fda7f60c4ba67f38f5d445972d044ec327b49974ec7ed504

    SHA512

    43362b55a9ee96887bf786bbf49238a2d9ecd0c0d7802cb53484c84310e0a22daa2c7984e3a03380249abec2da55643f2f842d77a6c1aa3800f83abf5b8fc80c

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    59KB

    MD5

    5efd390d5f95c8191f5ac33c4db4b143

    SHA1

    42d81b118815361daa3007f1a40f1576e9a9e0bc

    SHA256

    6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74

    SHA512

    720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

    Download Submit

  • memory/2288-12-0x00000000001A0000-0x00000000001B7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2456-0-0x00000000000E0000-0x00000000000F7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2456-9-0x0000000000100000-0x0000000000117000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2456-8-0x00000000000E0000-0x00000000000F7000-memory.dmp

    Filesize

    92KB

    Download