Overview

overview

7

Static

static

7

43bfe91450...88.exe

windows7-x64

7

43bfe91450...88.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/01/2024, 13:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    43bfe9145031b6583110fbace31c5888.exe

  • Size

    135KB

  • MD5

    43bfe9145031b6583110fbace31c5888

  • SHA1

    f86fc7a4e5ac9ddac1ae53213c8c35789dd90207

  • SHA256

    2b7e54c70079560b5718d81f3c29c4a59c07f57ce30fa361ada47bc52555a162

  • SHA512

    f77db42f839940705b50d5327562ddf4282ec178ee01f2cd0e527adc4612a4d2b3422f0cb4b0e13c298e5b56033d8a05b6833935916a217e8d1c99265b5f7407

  • SSDEEP

    3072:sr3KcWmjRrzSvr3KcWmjRrzSFT3LqwyJdOkVkML2h:/Qp7qxdObrh

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43bfe9145031b6583110fbace31c5888.exe
    "C:\Users\Admin\AppData\Local\Temp\43bfe9145031b6583110fbace31c5888.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:924
    • C:\Users\Admin\AppData\Local\Temp\ZBSKs4m34JjOrSz.exe
      C:\Users\Admin\AppData\Local\Temp\ZBSKs4m34JjOrSz.exe
      2⤵
      • Executes dropped EXE
      PID:1944

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
          Filesize

          108KB

          MD5

          24ed15fee4eade07f7808e58c8057fbb

          SHA1

          b3a2a2776461d91293620488d33584ccc537c98f

          SHA256

          418cda496da838145b3ffb93d4dfb9cde624510dac4f0c5cb9f529aea7de0369

          SHA512

          7fcc70e3ed2fcae3f0ae9bc8eedc68d27b83b00b2d53be2ca16cddb83723cd922ac8841f456846f7bf4cf8b0dc85d0cde362b6fcf94d74d61f826d8ab1c728e5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ZBSKs4m34JjOrSz.exe
          Filesize

          29KB

          MD5

          dac21753cf55aa12fbf1e95091f115c2

          SHA1

          f727c70509d144987994c48eadf5631b5c6d1e4e

          SHA256

          93ffeefd35b4c37fc01accaddaccf44b1dc61fc6639903cdc0d670a6fb3fd400

          SHA512

          7260f27aab4fbb14cbaf5a1b3f9751b7407048a58ecfc166c2c6d013210e87432e63ba236a54cf84d01a9f006ec0dad10668237efa15e0cb3b3f144463b7605b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ZBSKs4m34JjOrSz.exe
          Filesize

          64KB

          MD5

          a32a382b8a5a906e03a83b4f3e5b7a9b

          SHA1

          11e2bdd0798761f93cce363329996af6c17ed796

          SHA256

          75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346

          SHA512

          ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          71KB

          MD5

          22069d1278ebf7d1758e20c4b118c39a

          SHA1

          cfd6c00953bc91dfa91a809e99a230b0ad222eec

          SHA256

          c4875ef691c5e0dbcdc5dd700f610042ec63e251f184150eeb3e7ab1dde3c9ba

          SHA512

          7ffbb4fce2779e7dc7ea19773a843eb174eb9e8dfc136a45ce8606c6c1657887f73409bfc780c391fe38dacc56c8a6ca4f84d3656236d631b42ec2946346b61d

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          64KB

          MD5

          da8ab8c21c5e85946fbedccc04f3ff42

          SHA1

          f02217059da8e2e3aaea2d293d816a59f44e2dd8

          SHA256

          8d850c7fbc40a52acc7ae04d231480ac5f78dcd191995824f34bd14df3cc9deb

          SHA512

          599188304a4456b3bbd428142c9f11ff74fac894c2c1c50be8ef9196ef36a64ce9d1d8595ccbc92737c88ddf0879866174a38bd4838c0ab3ba6320d288de6a5d

          Download Submit

        • memory/924-8-0x0000000000470000-0x0000000000487000-memory.dmp

          Filesize

          92KB

          Download

        • memory/924-32-0x0000000000470000-0x0000000000487000-memory.dmp

          Filesize

          92KB

          Download

        • memory/4612-0-0x0000000000F90000-0x0000000000FA7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/4612-7-0x0000000000F90000-0x0000000000FA7000-memory.dmp

          Filesize

          92KB

          Download