Overview

overview

7

Static

static

7

2bff31fcc2...b6.exe

windows7-x64

7

2bff31fcc2...b6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 06:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2bff31fcc27c2431cdf6c168192b06b6.exe

  • Size

    363KB

  • MD5

    2bff31fcc27c2431cdf6c168192b06b6

  • SHA1

    e6cbb2f097c5dea5ea95625cba19331e358ca8d9

  • SHA256

    143e44389b9e644aeb3ba0bc382895017ccf7311a5a43f32c8347e32f890bd7e

  • SHA512

    27fcf64e98f2b39db034b92a0e2b5cacc139e8c619084053dfd1b04cfff5199bf450a72e48bf830a3bcc007b170e65a906e3683a86b3d2039cd12eaa16d1e81a

  • SSDEEP

    6144:hGiQ35VFbYf/ljExVb79fhwmL+yZjDRB4cwKvI3fiYbHB8srTxC/ijWAJft:hRgFYfhgV/9fhwXyxD0cNw3qYbHPrTwA

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bff31fcc27c2431cdf6c168192b06b6.exe
    "C:\Users\Admin\AppData\Local\Temp\2bff31fcc27c2431cdf6c168192b06b6.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1736
    • C:\Users\Admin\AppData\Local\Temp\uXFx3B99hpU54G2.exe
      C:\Users\Admin\AppData\Local\Temp\uXFx3B99hpU54G2.exe
      2⤵
      • Executes dropped EXE
      PID:2180

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\uXFx3B99hpU54G2.exe
          Filesize

          334KB

          MD5

          f310d4e936b68a5d76b7b808507e99f9

          SHA1

          6dccf493508f97212688413bec28f86befbff8e2

          SHA256

          58b7e175725ddf68a7a6c891889daaa3b7d4f90c14bfcff287cb3336cbd7da60

          SHA512

          daead56dfdd7b4a7a8fabdc6e12144273aae244aa90817d76281e5a7414e3f07ca2761f481bda91a47fc3c1c911ff1783e7421e566e3b3fc59b443de141d9e5d

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          29KB

          MD5

          70aa23c9229741a9b52e5ce388a883ac

          SHA1

          b42683e21e13de3f71db26635954d992ebe7119e

          SHA256

          9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

          SHA512

          be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

          Download Submit

        • \Users\Admin\AppData\Local\Temp\uXFx3B99hpU54G2.exe
          Filesize

          98KB

          MD5

          02ad7fddc0170f1637dd27469263a719

          SHA1

          45314db768f44a5e4ed3c81ac0dece2400f57285

          SHA256

          936b2a9503fa26176c65bc4e2a7aa4abba9934d3ea1d74fafb46f299f4786ce9

          SHA512

          2298115a94d482ad5445a511cd02e56cf6c31449dba61e18f68fa7e9c465dd4d555569aa86550bcba0127c5d165478408358c2d8682e440bd1f6a06f761cf6d9

          Download Submit

        • memory/1736-16-0x0000000000B10000-0x0000000000B27000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2508-0-0x0000000000090000-0x00000000000A7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2508-14-0x0000000000070000-0x0000000000087000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2508-12-0x0000000000090000-0x00000000000A7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2508-8-0x0000000000070000-0x0000000000087000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2508-21-0x0000000000070000-0x0000000000087000-memory.dmp

          Filesize

          92KB

          Download