Overview

overview

7

Static

static

7

417ac64ea3...97.exe

windows7-x64

7

417ac64ea3...97.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    203s
  • max time network
    26s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2024, 17:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    417ac64ea38dc0f0a4465f7ef9bc4297.exe

  • Size

    30KB

  • MD5

    417ac64ea38dc0f0a4465f7ef9bc4297

  • SHA1

    3a81d569a217ab89de9bcc626668a32460f538f9

  • SHA256

    dd87549655388442105d3e28986eba5570caf59297131c529debb182aec1248c

  • SHA512

    3e83eb8c7a691bb0184a3ef1f42afb767ff4ea9e7959d0a009b6150e6ff6269153a942953942dae1162e29fae28eb125209c14ab5e15856f3bed8a2d86e797fe

  • SSDEEP

    768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFQC:SKcR4mjD9r823FQC

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\417ac64ea38dc0f0a4465f7ef9bc4297.exe
    "C:\Users\Admin\AppData\Local\Temp\417ac64ea38dc0f0a4465f7ef9bc4297.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2172

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\8rfdiLsrCp8wHgK.exe
          Filesize

          30KB

          MD5

          bca246f8be0a0bca2d6b52a0e6a03979

          SHA1

          19517e3b807c3ce0863825d5d62b3397df0497bb

          SHA256

          bc57e2e5fe42f9d28da640f8409beae8276f5fb3d4e97b2d0273219f1db479ef

          SHA512

          c960c69f47cbd0854faced1ca542f3dd1b66b94677b3542772ef71bdabb736625794ad312f5922b15084563bff6bb3713981ffd6970e48ae901fea6bb92b169e

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          29KB

          MD5

          70aa23c9229741a9b52e5ce388a883ac

          SHA1

          b42683e21e13de3f71db26635954d992ebe7119e

          SHA256

          9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

          SHA512

          be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

          Download Submit

        • memory/2172-13-0x00000000002A0000-0x00000000002B7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2812-0-0x0000000000890000-0x00000000008A7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2812-5-0x00000000002A0000-0x00000000002B7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2812-10-0x00000000002A0000-0x00000000002B7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2812-9-0x0000000000890000-0x00000000008A7000-memory.dmp

          Filesize

          92KB

          Download