Overview

overview

7

Static

static

7

560e642cbf...ec.exe

windows7-x64

7

560e642cbf...ec.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12/01/2024, 09:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    560e642cbfe798e88117b93aeb4e92ec.exe

  • Size

    52KB

  • MD5

    560e642cbfe798e88117b93aeb4e92ec

  • SHA1

    021914eb10b2f9cd27effc65e90c26cd7b14f7af

  • SHA256

    652fd9acdbd738bcab603ac15c22b1197c6ce9c1da6ac29618641a02bbfbb57b

  • SHA512

    830152aebb0c64b5365808b0a888dc828b216eb74322cf88f72f57ca993ffc046b536f9e270c2cbe3c3a67375f54fcf89a2fe1dd783656542d6e1bcc96c7e4fa

  • SSDEEP

    768:X8Q2ZDX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIom46+Ir75Dx0zMcjXsxgUCM:s9Z3KcR4mjD9r8226+ulBebR+

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\560e642cbfe798e88117b93aeb4e92ec.exe
    "C:\Users\Admin\AppData\Local\Temp\560e642cbfe798e88117b93aeb4e92ec.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2692

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ZiJKsFnesfZfacB.exe
          Filesize

          52KB

          MD5

          31035aafcb9f07e742de211e34ac7a2b

          SHA1

          968db533a89243bb2f477ff1ca7199ac3289fdb4

          SHA256

          1b1c1016151037f257823972eb785eb8b391a88f871c48d1a4917b8f7d6f670e

          SHA512

          6c7730300128a5a0e93fbd12d91a8793fdebc7dceb703e49f7f0aeb66c1f61d5763f1b3caf5002b759a5a6157a87fe2f94bd370bc28b3039c6d052802ccab2c9

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          35KB

          MD5

          93e5f18caebd8d4a2c893e40e5f38232

          SHA1

          fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6

          SHA256

          a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8

          SHA512

          986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

          Download Submit

        • memory/2312-0-0x00000000010B0000-0x00000000010C7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2312-8-0x00000000010B0000-0x00000000010C7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2312-11-0x0000000000070000-0x0000000000087000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2312-19-0x0000000000070000-0x0000000000087000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2692-12-0x0000000000B70000-0x0000000000B87000-memory.dmp

          Filesize

          92KB

          Download