Overview

overview

7

Static

static

7

46c2b077d8...0b.exe

windows7-x64

7

46c2b077d8...0b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2024, 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46c2b077d80e22fdf8881069e773720b.exe

  • Size

    30KB

  • MD5

    46c2b077d80e22fdf8881069e773720b

  • SHA1

    e1ad94e1ff62980e841bbdf221f737177a3f1c07

  • SHA256

    7f3fe334862f9b3c92348b084d5e4206c21c8e070f73b22ac7b1b48c58686858

  • SHA512

    48e988c8044fbecd4688ce89d9fb63833e531e43def5385073df5b00e66a85bbecb6947d539c344ed0373c5275a31c978f5b3122b96d75c9b3f61e8cee5f7107

  • SSDEEP

    768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFAU:SKcR4mjD9r823Fp

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46c2b077d80e22fdf8881069e773720b.exe
    "C:\Users\Admin\AppData\Local\Temp\46c2b077d80e22fdf8881069e773720b.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\odoA0ukGbOTbrkq.exe
    Filesize

    30KB

    MD5

    04501e130e18876a5d1153b045c939fb

    SHA1

    a28613a6a7862dc922f82d22183a0c6479aa2cc3

    SHA256

    91ed920c9344725928c1a0583de6a9b00f9c2688d63b403991db168a00d267de

    SHA512

    497132ba2e71a7194a6b1675f938c90771180e66d8414c884866c504f4830e2d76bc4c8cb095c0ca44a847a6fa021a5ac01b123429bb4d11b3af8c7759bccc8f

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    29KB

    MD5

    70aa23c9229741a9b52e5ce388a883ac

    SHA1

    b42683e21e13de3f71db26635954d992ebe7119e

    SHA256

    9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

    SHA512

    be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

    Download Submit

  • memory/624-0-0x0000000000020000-0x0000000000037000-memory.dmp

    Filesize

    92KB

    Download

  • memory/624-8-0x0000000000020000-0x0000000000037000-memory.dmp

    Filesize

    92KB

    Download

  • memory/624-9-0x0000000000090000-0x00000000000A7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/624-18-0x0000000000090000-0x00000000000A7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2996-12-0x0000000000160000-0x0000000000177000-memory.dmp

    Filesize

    92KB

    Download