Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    08/01/2024, 04:13

General

  • Target

    4a68ee47fd872d1e7a957bd6c9585fec.exe

  • Size

    335KB

  • MD5

    4a68ee47fd872d1e7a957bd6c9585fec

  • SHA1

    47073e49ce1c87edce2f4850506ae038385388ea

  • SHA256

    55c845306575a4f6c64875549cbfaa27c17425b905d3e9a7e1e9c41653b88dda

  • SHA512

    d1a1658290cb464b0b8ccbad41ec0dae8c65baf85d98b38ad3ab56d6cfbea4b17f09b5226c49799cb974ed226e9718a8f0df2a2ff5a5ddb33c7260a45eb529bc

  • SSDEEP

    6144:hGRqNA/2ffooKmtARQ+teJmlfV7irmdbOLhYQyDR/f064Y6Bs2Bk758Q:hvA2Io+RQ+teJmBV6mdUYQyDRX0fRmdX

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7zSCD967F26\setup-stub.exe
    .\setup-stub.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious use of FindShellTrayWindow
    PID:2140
  • C:\Windows\CTS.exe
    "C:\Windows\CTS.exe"
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2520
  • C:\Users\Admin\AppData\Local\Temp\CzKXP0ggD3CDsRu.exe
    C:\Users\Admin\AppData\Local\Temp\CzKXP0ggD3CDsRu.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2524
  • C:\Users\Admin\AppData\Local\Temp\4a68ee47fd872d1e7a957bd6c9585fec.exe
    "C:\Users\Admin\AppData\Local\Temp\4a68ee47fd872d1e7a957bd6c9585fec.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2896

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          7af23874c740286b917b83a27b44710f

          SHA1

          8a44ace51996943481209c2a95aaf5e382211883

          SHA256

          ae58753f8d7a2889e925632e1a3152c6b3dfc054de6d6af3599f682a665641af

          SHA512

          d51315ca6f427ebe0c37c6e0f43db001a2712c41b4254777660278aa7d09faeec45e7c7db8a21937ff9c09b36df0f222980b03ae056b89e6f78ee227bb63f9f6

        • C:\Users\Admin\AppData\Local\Temp\Cab287F.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\CzKXP0ggD3CDsRu.exe

          Filesize

          306KB

          MD5

          b1ec7bff4192f75a0a53608047a190e9

          SHA1

          7686a580333e8d60e1806418c8467e85beab4d2a

          SHA256

          134e9f12545c3300eedc7a5644c28f390e00918a15fbcf2143492810ab4a5474

          SHA512

          2af2d71ef3f292888adbe9836ae8bb3b1a8f99f4c95be0565515adf544c989e4ff722342721500b0aefc5f57178a1de9a916c4096c3f6722b42dcd0063cd6067

        • C:\Users\Admin\AppData\Local\Temp\CzKXP0ggD3CDsRu.exe

          Filesize

          92KB

          MD5

          a2a834834f3ce2f3608016dce24ecf0d

          SHA1

          7b8050e3eeaf04ac74e618c1e7a154256a9f4ca3

          SHA256

          5135f7f361835a87b1c17760423c6040e30eb597e76806b9afa042f132f76ca2

          SHA512

          593bb7af181ba05177cd44bd361d4308ede37eb861f05b2d29f5206c452d0dd01d696b963ca1617d37d0d815024c63f647c399228b0e1ab463a503323cdf8d16

        • C:\Users\Admin\AppData\Local\Temp\Tar2892.tmp

          Filesize

          171KB

          MD5

          9c0c641c06238516f27941aa1166d427

          SHA1

          64cd549fb8cf014fcd9312aa7a5b023847b6c977

          SHA256

          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

          SHA512

          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        • C:\Windows\CTS.exe

          Filesize

          29KB

          MD5

          70aa23c9229741a9b52e5ce388a883ac

          SHA1

          b42683e21e13de3f71db26635954d992ebe7119e

          SHA256

          9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

          SHA512

          be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

        • \Users\Admin\AppData\Local\Temp\CzKXP0ggD3CDsRu.exe

          Filesize

          96KB

          MD5

          a8ebf84c7a8a04053eb361f3dc36a743

          SHA1

          84fe0b9ac6bd4d9d72b92b7e98ff4a8cf3bed38a

          SHA256

          941e558d61d14ddaa218132eb2112dcbe8105eda728c2a507317eaa292fa8f21

          SHA512

          5356248446b7a3cd046376bc734de7c69500b24a773df70bd68fb35e4bf925efc2caae0cf9ea672aefcd440be1d0667e478014e5b069892c3acc41f336d7d371

        • \Users\Admin\AppData\Local\Temp\nsdBD4.tmp\InetBgDL.dll

          Filesize

          33KB

          MD5

          73a0bec837004bc5ae5cd0a5b0d3bcf8

          SHA1

          92cb463841b6adeecb8cc9cc8eb5f39a61dc7edd

          SHA256

          0dd38281a824298100b2bc89ee5b8a5c9cd9ec7a3b051dff42037a891fa7c534

          SHA512

          f7aa18261fb4ef99b66e9a16e2df6323d34444de84a5bdabd3890154b0207f8509f34f2fe115b00e2396d33df778be6456a7fd754cc00271f8189e5a4420b6d2

        • \Users\Admin\AppData\Local\Temp\nsdBD4.tmp\nsDialogs.dll

          Filesize

          9KB

          MD5

          42b064366f780c1f298fa3cb3aeae260

          SHA1

          5b0349db73c43f35227b252b9aa6555f5ede9015

          SHA256

          c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

          SHA512

          50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

        • memory/2140-197-0x0000000002B90000-0x0000000002B9B000-memory.dmp

          Filesize

          44KB

        • memory/2520-17-0x0000000001250000-0x0000000001267000-memory.dmp

          Filesize

          92KB

        • memory/2524-8-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2524-167-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2896-12-0x0000000000C80000-0x0000000000C97000-memory.dmp

          Filesize

          92KB

        • memory/2896-15-0x00000000000E0000-0x00000000000F7000-memory.dmp

          Filesize

          92KB

        • memory/2896-3-0x0000000000C80000-0x0000000000C97000-memory.dmp

          Filesize

          92KB

        • memory/2896-207-0x00000000000E0000-0x00000000000F7000-memory.dmp

          Filesize

          92KB