Overview

overview

8

Static

static

7

59af166624...3a.exe

windows7-x64

8

59af166624...3a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2024, 23:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59af1666246388b5d5ab790612e0d43a.exe

  • Size

    33KB

  • MD5

    59af1666246388b5d5ab790612e0d43a

  • SHA1

    c5ba046ad5978343dc87466c76df0a1b82a9a53f

  • SHA256

    972c0c557aef3b8373ce28cd2c13d09091a30135263cf1af27901e49370ab4bd

  • SHA512

    1dcad08f1640aa43d638962800b836cebe50ab39fe34294a02f09c28e663078845c8ff175c133aa2d1de2cb585667ace2652efabee101cc0e8ef9ae4e4d6317f

  • SSDEEP

    768:RBD4C5u76tYBgNO7Q/XuL6C5sUB2Yys3/LaSr:nDdu77BgCWXO6hYys3/LaSr

Score
8/10
evasionspywarestealerupx

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 8 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59af1666246388b5d5ab790612e0d43a.exe
    "C:\Users\Admin\AppData\Local\Temp\59af1666246388b5d5ab790612e0d43a.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\SysWOW64\net.exe
      net stop cryptsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop cryptsvc
        3⤵
          PID:2564
      • C:\Windows\SysWOW64\sc.exe
        sc config cryptsvc start= disabled
        2⤵
        • Launches sc.exe
        PID:1968
      • C:\Windows\SysWOW64\sc.exe
        sc delete cryptsvc
        2⤵
        • Launches sc.exe
        PID:1264
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Users\Admin\AppData\Local\Temp\1705188477.dat, ServerMain c:\users\admin\appdata\local\temp\59af1666246388b5d5ab790612e0d43a.exe
        2⤵
        • Deletes itself
        • Loads dropped DLL
        PID:1728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1705188477.dat
      Filesize

      33KB

      MD5

      7cf98fc8422296a346bfe4eac9bf172a

      SHA1

      816d333f429eba90c94d780593b0461a1ddc6057

      SHA256

      ba75e448e0ad0201697e64c76dcf9e5755c7b3520f0033d97a3d86a73ed6613b

      SHA512

      cbd9853bb46c143bcb64efac2c1ef3c3ad3e6d698ab071ab19961a59ce035fde454dcb0415a7a2f2b6db740ad36b8cfc9e75b6d26fb79304149327d0717699b8

      Download Submit

    • memory/2536-0-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2536-9-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download