Overview

overview

7

Static

static

7

26e2911a59...5d.exe

windows7-x64

7

26e2911a59...5d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    0s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 03:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26e2911a59f6c13c7455c843f1e3125d.exe

  • Size

    44KB

  • MD5

    26e2911a59f6c13c7455c843f1e3125d

  • SHA1

    ed0a403a613e354bda3d796f185da603fa4c7935

  • SHA256

    71b3661c3f6d53722ec93e1493ef0dbed85358569429d9f9a6d481ce3a5214c9

  • SHA512

    5b9ba0eb342baab5eefff0fc2dfac4f8d7d2b2753bd65ef2ad6ee12729cbdee4f16430f15c8b74519b6dcc7234779a3f2f15994074ccb16e4b961c7e2e54e060

  • SSDEEP

    768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFNgqHQjmALIuW/DJ5LDu:SKcR4mjD9r823FNCAF5fu

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\CTS.exe
    "C:\Windows\CTS.exe"
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2664
  • C:\Users\Admin\AppData\Local\Temp\pILpabKyU1SbvmK.exe
    C:\Users\Admin\AppData\Local\Temp\pILpabKyU1SbvmK.exe
    1⤵
    • Executes dropped EXE
    PID:1252
  • C:\Users\Admin\AppData\Local\Temp\26e2911a59f6c13c7455c843f1e3125d.exe
    "C:\Users\Admin\AppData\Local\Temp\26e2911a59f6c13c7455c843f1e3125d.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\pILpabKyU1SbvmK.exe
    Filesize

    15KB

    MD5

    92f9de5aaf4021b73961e14303746f95

    SHA1

    331b792e347ebaf6b6b4c9ac65d742061e1a9f0a

    SHA256

    13c921999e5ff273007a610a8521bbc77d884b41d9cbbd41e045b3497909659c

    SHA512

    314749d46a3584213e55c7030e087e06f1e5bc5fbb8f99210a4e3014b9f44f3be7e791f48c570dd0abaf73584322ebb6be0d2ea5dbbfe343245cced22b172225

    Download Submit

  • memory/1252-25-0x0000000000B40000-0x0000000000B80000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1252-24-0x0000000074DC0000-0x000000007536B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1252-115-0x0000000074DC0000-0x000000007536B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1728-15-0x00000000011B0000-0x00000000011C7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1728-11-0x0000000001280000-0x0000000001297000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1728-117-0x00000000011B0000-0x00000000011C7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2664-26-0x00000000011B0000-0x00000000011C7000-memory.dmp

    Filesize

    92KB

    Download