ac0aa1fc56d492e81b4a71a9ab06fe35df42c8dd6fcccafa51591fa185d42927

Analysis

max time kernel
162s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bea978951b9452de6ebbce207371089.exe
Size

775KB
MD5

4bea978951b9452de6ebbce207371089
SHA1

558728ffa36f6c6fa0bebd6b5f9ec544a413fef7
SHA256

ac0aa1fc56d492e81b4a71a9ab06fe35df42c8dd6fcccafa51591fa185d42927
SHA512

9a66973759ea7689ee0b8979c6e34fdab96681ccf0cb2ab9697ef89e274a42067ee1436d5a6c29da9f3f2a76466f7821d1f5fd9c9cba095fada19c0cb89b8216
SSDEEP

24576:/rl6kD68JmloLQf9MoraVGsEAGV1T+EI0Fsqy:Dl328U2kf9MorarUrLI06

Score

9^/10

upx

Malware Config

Signatures

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1352-6-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1352-6-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/memory/1352-6-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3244-0-0x0000000000EF0000-0x000000000109F000-memory.dmp	upx
behavioral2/memory/3244-1-0x0000000000EF0000-0x000000000109F000-memory.dmp	upx
behavioral2/memory/3244-4-0x0000000000EF0000-0x000000000109F000-memory.dmp	upx
behavioral2/memory/3244-11-0x0000000000EF0000-0x000000000109F000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3244-4-0x0000000000EF0000-0x000000000109F000-memory.dmp	autoit_exe
behavioral2/memory/3244-11-0x0000000000EF0000-0x000000000109F000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3244 set thread context of 1352	3244	4bea978951b9452de6ebbce207371089.exe	94

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3244	4bea978951b9452de6ebbce207371089.exe
3244	4bea978951b9452de6ebbce207371089.exe
3244	4bea978951b9452de6ebbce207371089.exe
3244	4bea978951b9452de6ebbce207371089.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3244	4bea978951b9452de6ebbce207371089.exe
3244	4bea978951b9452de6ebbce207371089.exe
3244	4bea978951b9452de6ebbce207371089.exe
3244	4bea978951b9452de6ebbce207371089.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 1352	3244	4bea978951b9452de6ebbce207371089.exe	94
PID 3244 wrote to memory of 1352	3244	4bea978951b9452de6ebbce207371089.exe	94
PID 3244 wrote to memory of 1352	3244	4bea978951b9452de6ebbce207371089.exe	94
PID 3244 wrote to memory of 1352	3244	4bea978951b9452de6ebbce207371089.exe	94
PID 3244 wrote to memory of 1352	3244	4bea978951b9452de6ebbce207371089.exe	94

C:\Users\Admin\AppData\Local\Temp\4bea978951b9452de6ebbce207371089.exe
"C:\Users\Admin\AppData\Local\Temp\4bea978951b9452de6ebbce207371089.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:1352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1352-6-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1352-13-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/1352-14-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/1352-15-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/1352-16-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/1352-17-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/1352-18-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/3244-0-0x0000000000EF0000-0x000000000109F000-memory.dmp

Filesize
1.7MB

Download
memory/3244-1-0x0000000000EF0000-0x000000000109F000-memory.dmp

Filesize
1.7MB

Download
memory/3244-4-0x0000000000EF0000-0x000000000109F000-memory.dmp

Filesize
1.7MB

Download
memory/3244-5-0x0000000021810000-0x0000000021811000-memory.dmp

Filesize
4KB

Download
memory/3244-11-0x0000000000EF0000-0x000000000109F000-memory.dmp

Filesize
1.7MB

Download