Overview

overview

8

Static

static

3

54c6f0654b...ed.exe

windows7-x64

8

54c6f0654b...ed.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    137s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2024 22:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54c6f0654b93d2f105b66db4fa10b5ed.exe

  • Size

    1.9MB

  • MD5

    54c6f0654b93d2f105b66db4fa10b5ed

  • SHA1

    9ff6655d6c17abda2de2d173d596f8264388c437

  • SHA256

    a8ab6a4b51c1f055d344543e105acca7d66191ea3f223eae1f44943f6e3a68da

  • SHA512

    3e4e87ca56161fcad78b07f4a1d84a8cd23d9b91558cfab14de39e47c8feb8e119b2b9f2f952e9f5436d895b52dc9a0b4b380fe0d369217c94a8091af9721dd8

  • SSDEEP

    49152:3ZfKwJkIEj9rEEgebEksgZJcoDGYkSb+kWuAJ:4weI694EgenDz+V

Score
8/10
evasionspywarestealerupx

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • ACProtect 1.3x - 1.4x DLL software 8 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54c6f0654b93d2f105b66db4fa10b5ed.exe
    "C:\Users\Admin\AppData\Local\Temp\54c6f0654b93d2f105b66db4fa10b5ed.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe
      C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe
        "C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3692
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c netsh firewall set opmode disable
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall set opmode disable
            5⤵
            • Modifies Windows Firewall
            PID:3036
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c C:\FirePassword.exe "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\FirePassword.exe
            C:\FirePassword.exe "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:5032
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c C:\FirePassword.exe "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\urxy0c8h.Admin"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\FirePassword.exe
            C:\FirePassword.exe "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\urxy0c8h.Admin"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:5076
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\7427.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1292 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FirePassword.exe
    Filesize

    80KB

    MD5

    b199ac8e35357580b48f7b33868e67a2

    SHA1

    f72aeaa3b66d8388bdf7116317b12084393624b6

    SHA256

    410bebeacf59ec783bff358437305cb4b982bcbc6c06a4a3389f3e8432d2751e

    SHA512

    ed50383a66f42df530b1c28d882f86bc27cdd42404250912e3a0fc72df46eabb19ac7a13e424fbd83ba82d2ddc508fee582182f1009059b6195acbe35f1831a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L3T8W3B4\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7427.gif
    Filesize

    1.4MB

    MD5

    7e41d661b6cb99c057472c1df17c093e

    SHA1

    316ec9e2cb8edfce4f105b03416c0d3977d3df46

    SHA256

    d93982973018bf3ca5dd2ba7d7c704ab2a37b7997b7062d6a5e1c6d0e7a3e698

    SHA512

    7e25cd7d0372831d96508e17d0ecef10cfc40d851c3649ac0ed6ad057a2b040ec9b9a239db27054c37d7cf4a194156decca099a1ebdbe87090c049440e2f65d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe
    Filesize

    478KB

    MD5

    2284021d2a9f3e2232cd2483de44f17b

    SHA1

    d5e4fdce8f67e282bffd8d2cf45e3f569a2d74fe

    SHA256

    9039c1d77eaf4aa31c7619ea5e08c0c085ee756f4e09b0810af73853c192574f

    SHA512

    cdcf3aeb5796043f34ec4e38f8eb7b94667317518ff3832a6f13084062a9b0ac423d23978611e34bc50899a1cdd5121ee7a09be4daa5a5a498d14079d2ef5bf0

    Download Submit

  • C:\nspr4.dll
    Filesize

    72KB

    MD5

    72414dfb0b112c664d2c8d1215674e09

    SHA1

    50a1e61309741e92fe3931d8eb606f8ada582c0a

    SHA256

    69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71

    SHA512

    41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

    Download Submit

  • C:\nss3.dll
    Filesize

    172KB

    MD5

    7ddbd64d87c94fd0b5914688093dd5c2

    SHA1

    d49d1f79efae8a5f58e6f713e43360117589efeb

    SHA256

    769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1

    SHA512

    60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d

    Download Submit

  • C:\plc4.dll
    Filesize

    8KB

    MD5

    c73ec58b42e66443fafc03f3a84dcef9

    SHA1

    5e91f467fe853da2c437f887162bccc6fd9d9dbe

    SHA256

    2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7

    SHA512

    6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

    Download Submit

  • C:\plds4.dll
    Filesize

    6KB

    MD5

    ee44d5d780521816c906568a8798ed2f

    SHA1

    2da1b06d5de378cbfc7f2614a0f280f59f2b1224

    SHA256

    50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc

    SHA512

    634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

    Download Submit

  • C:\softokn3.dll
    Filesize

    155KB

    MD5

    e846285b19405b11c8f19c1ed0a57292

    SHA1

    2c20cf37394be48770cd6d396878a3ca70066fd0

    SHA256

    251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477

    SHA512

    b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7

    Download Submit

  • memory/3692-12-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/3692-77-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/3692-10-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/3692-74-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/3692-7-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/4400-57-0x0000000000400000-0x00000000005E4000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/5032-45-0x00000000008F0000-0x000000000091D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5032-35-0x0000000060220000-0x0000000060229000-memory.dmp

    Filesize

    36KB

    Download

  • memory/5032-46-0x0000000060140000-0x000000006016D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5032-39-0x0000000060210000-0x000000006021A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5032-51-0x0000000060260000-0x00000000602BF000-memory.dmp

    Filesize

    380KB

    Download

  • memory/5032-52-0x0000000060220000-0x0000000060229000-memory.dmp

    Filesize

    36KB

    Download

  • memory/5032-53-0x0000000060210000-0x000000006021A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5032-54-0x0000000060140000-0x000000006016D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5032-38-0x0000000000420000-0x000000000042A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5032-44-0x0000000000920000-0x000000000094D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5032-31-0x0000000060170000-0x00000000601D7000-memory.dmp

    Filesize

    412KB

    Download

  • memory/5032-34-0x0000000060260000-0x00000000602BF000-memory.dmp

    Filesize

    380KB

    Download

  • memory/5076-64-0x0000000060140000-0x000000006016D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5076-63-0x0000000060170000-0x00000000601D7000-memory.dmp

    Filesize

    412KB

    Download

  • memory/5076-70-0x0000000060260000-0x00000000602BF000-memory.dmp

    Filesize

    380KB

    Download

  • memory/5076-66-0x0000000060210000-0x000000006021A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5076-68-0x0000000060220000-0x0000000060229000-memory.dmp

    Filesize

    36KB

    Download