Overview

overview

10

Static

static

3

21589fa148...c6.exe

windows7-x64

10

21589fa148...c6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 00:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    21589fa1487729166e4f22e47acebdc6.exe

  • Size

    521KB

  • MD5

    21589fa1487729166e4f22e47acebdc6

  • SHA1

    d5ffc8163e9bfde9458506f86cf59743155e0d78

  • SHA256

    9cc2ff00ce8f65a65a7a798b4b955affeb29c9473d0e956b228ab80a2e07bd7c

  • SHA512

    5b0bed53ab09f5475e06ce0a7b236bf53b935e32beeb8133eb03050e7f1373a5bb8db0c709b8588632112448fa601510325515bb3f973ec17c129b46340ad575

  • SSDEEP

    6144:d25mswOyIZjyMrmhc2TawYaOt2da2k78qh90GiTwXw35lk9jgvy89:d2wRIZgvOJDz9fA35lk9N

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21589fa1487729166e4f22e47acebdc6.exe
    "C:\Users\Admin\AppData\Local\Temp\21589fa1487729166e4f22e47acebdc6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:912
  • C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    1⤵
    • UAC bypass
    • Modifies registry key
    PID:4796

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2392-0-0x00000000751E0000-0x0000000075791000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2392-1-0x00000000751E0000-0x0000000075791000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2392-2-0x00000000014E0000-0x00000000014F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2392-3-0x00000000014E0000-0x00000000014F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2392-5-0x00000000014E0000-0x00000000014F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2392-6-0x00000000751E0000-0x0000000075791000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2392-7-0x00000000751E0000-0x0000000075791000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2392-8-0x00000000014E0000-0x00000000014F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2392-9-0x00000000014E0000-0x00000000014F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2392-10-0x00000000014E0000-0x00000000014F0000-memory.dmp

          Filesize

          64KB

          Download