Overview

overview

7

Static

static

7

4f5f23cf63...1d.exe

windows7-x64

7

4f5f23cf63...1d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2024, 02:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4f5f23cf6357b3a79ff5b8311ddd3b1d.exe

  • Size

    88KB

  • MD5

    4f5f23cf6357b3a79ff5b8311ddd3b1d

  • SHA1

    2311ef5455f670df48a97c704459a1908b3dd9d4

  • SHA256

    7b53118d05923755c4467eb327bae99ad42366fa3b92e14f5abff3ed2e3e3f1b

  • SHA512

    9b1f2e86184bac2067bec9a0e0b3d70e1046d8a8501179b4953e90e8569790e51f89e32aa87e5f9991551236800d8d5ecb0b215581dbbd33f57a8f14e351af1f

  • SSDEEP

    768:XqNK2cNW0QbRsWjcdip3RK733XV8YEhBjIwU/0SAR1RGn8NIoJtR+beoY8LQbi4Z:scNjQlsWjcdiTuXbELbGn82i+beoJkv

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\CTS.exe
    "C:\Windows\CTS.exe"
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2516
  • C:\Users\Admin\AppData\Local\Temp\4f5f23cf6357b3a79ff5b8311ddd3b1d.exe
    "C:\Users\Admin\AppData\Local\Temp\4f5f23cf6357b3a79ff5b8311ddd3b1d.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2800

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\K5v7Mmx07M7psHd.exe
          Filesize

          88KB

          MD5

          2de34aaf5ae40c19a1d7facb83ae35a6

          SHA1

          3b864bda8e7b9ebc4ccd5c5c7a4f17b17b579f91

          SHA256

          bd897c4cd2cdd240ae41ab7e300a27cce7d8bfe48ddfde3af1f702587df63761

          SHA512

          fd37e73a49b73f13c8f664d15c3388a0ff5e347b0ee586ae64829878c018a143b0b29187d9a512aea27c67406a0ebfdb9b88f1118044eda577760e60da584480

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          75KB

          MD5

          c9bd27241365904a8178120cca2e4f87

          SHA1

          cb0696e7fb15070eda01a6ba83f97a3f0c954e1b

          SHA256

          4c8c12b758ef0b2865e64fc7ecf58a473ca041b795a8ab69b4bfc4a7209f1ad3

          SHA512

          6b5a10ae78fd26d376cef4bff429f3c5582cff549985ae9a8295b30f2df9c82a21056f7e3054b6f6472e5245ba3b27b82958e32e6dac3aa0fb7a8e55c06edb40

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          82KB

          MD5

          796f4df6e89c638054b20b09ba1f28e5

          SHA1

          80e5f4e74a798f180f27f9b3dccb3c7461511d7d

          SHA256

          3293c5e8c2a49b5c7e2ba41c33e49d894137e25b672f19df5100bb9042bda402

          SHA512

          687860ab619a797cf2d459b0b3324bfca2f5c2b5eb92b2114b423326e1d56e872022000b4402687382c66c3ccf7d061a7f4fd0cf9cafcd5417fb6e096d7e1887

          Download Submit

        • memory/2516-12-0x00000000003C0000-0x00000000003D9000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2800-10-0x00000000013C0000-0x00000000013D9000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2800-5-0x0000000000160000-0x0000000000179000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2800-0-0x00000000013C0000-0x00000000013D9000-memory.dmp

          Filesize

          100KB

          Download