Overview

overview

7

Static

static

7

12429f536b...c6.exe

windows7-x64

7

12429f536b...c6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 07:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    12429f536bc5c5df4248479aa79efac6.exe

  • Size

    85KB

  • MD5

    12429f536bc5c5df4248479aa79efac6

  • SHA1

    f05ccad5926ef58ca66d50790b6ca05d424f1b82

  • SHA256

    eaac9cfdad559793e8f3abbee4b17e7802573d0ac9b081581754faf59c18dae7

  • SHA512

    5d72a2bd1225bbb1bdfd6aceae4ee7269cbd1ecc4f71823fc4025f098facb6ebabe256b5dd5bcd35592091a0355cccd734908f40100674176bdb946adf50456d

  • SSDEEP

    1536:SKcR4mjD9r823F0JKepeKeY/zJ13ik0bvvLR5cb6JNjuIP6+o:SKcWmjRrz3SKepeEj3iXzLEb6j9o

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12429f536bc5c5df4248479aa79efac6.exe
    "C:\Users\Admin\AppData\Local\Temp\12429f536bc5c5df4248479aa79efac6.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1808
    • C:\Users\Admin\AppData\Local\Temp\k7KYpDtlTQbxcVV.exe
      C:\Users\Admin\AppData\Local\Temp\k7KYpDtlTQbxcVV.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1616
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 812
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:968

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\k7KYpDtlTQbxcVV.exe
          Filesize

          56KB

          MD5

          e115521ba14b75f53dcdff087ec6898f

          SHA1

          87103a892bb514a93d485fba221bacb9da3aae25

          SHA256

          59b284d0ad4c2634938e70fae67d9048bd98422d052fbd745a9b80b5fae7ae29

          SHA512

          ab3d097bcf11bf7327a28124052b210f5fb13b9bfb9b7376cae1ba5c30182a330506935288a7fe06b7e3fdd82b57f5c31638f1c301738342819c772b346fa35a

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          29KB

          MD5

          70aa23c9229741a9b52e5ce388a883ac

          SHA1

          b42683e21e13de3f71db26635954d992ebe7119e

          SHA256

          9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

          SHA512

          be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

          Download Submit

        • memory/1380-0-0x00000000001C0000-0x00000000001D7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1380-6-0x00000000001C0000-0x00000000001D7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1616-27-0x00007FFADD8B0000-0x00007FFADE251000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1616-33-0x00000000017B0000-0x00000000017C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1616-30-0x00007FFADD8B0000-0x00007FFADE251000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1616-39-0x00007FFADD8B0000-0x00007FFADE251000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1808-9-0x00000000004B0000-0x00000000004C7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1808-42-0x00000000004B0000-0x00000000004C7000-memory.dmp

          Filesize

          92KB

          Download