Overview

overview

7

Static

static

7

64d4af8e93...b8.exe

windows7-x64

7

64d4af8e93...b8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 07:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    64d4af8e93ee1377d86e6992dda4c7b8.exe

  • Size

    29KB

  • MD5

    64d4af8e93ee1377d86e6992dda4c7b8

  • SHA1

    21c4b4d2f2e803f7a3a71d297ed6cf59e89ffdee

  • SHA256

    bd0b0abd3daec4ff56d2e4e429be56c56989505d236239c4874bad451f4adf09

  • SHA512

    8de69c2e6e0b7f0f794150ca8c5adc7095382f9ba3ef0620c8fa541d32fe06d978ceb8003398c4d5024bb0c9778f3a113520da069fd4efcbe03706c3319157cf

  • SSDEEP

    768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFH:SKcR4mjD9r823FH

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64d4af8e93ee1377d86e6992dda4c7b8.exe
    "C:\Users\Admin\AppData\Local\Temp\64d4af8e93ee1377d86e6992dda4c7b8.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4688
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:4904
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:556

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
            Filesize

            352KB

            MD5

            201c600142b37eb41d138c3bd5e9392c

            SHA1

            4ea36ef219160c86b89c7cf5ec5005ad51c97fb1

            SHA256

            7f770c25a37fc074a7790a3a159c3c38cefc6c8574246d505e494fa613dcf1fc

            SHA512

            d4c0b29d4331ffd1e070df789ac1e75befa829a8509899d8fca7023b9bbe1f02ed49f0bf57f72894aa13ed3b9e265a2ca2a078e6b786dc9b2361d50721803b37

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\M9icK2JtCWEsL9P.exe
            Filesize

            29KB

            MD5

            3499b7950ec4c8b128cae6cfe71beb92

            SHA1

            19fa9d87fb08a40b0a0d87f9d5aff86615397d32

            SHA256

            e2f5ea0f1796ddcb1a5b30a584efc772ab1cf75cf8975adac980fb6bf343609e

            SHA512

            57eb9d497c8c8f58db13941ccf847c8582bfeecde6ceb75e4b4993deac4106fb8e10d2e6d020099a19316b7eb7996a3514c30349d6cdef6edcaf180fe63009f4

            Download Submit

          • C:\Windows\CTS.exe
            Filesize

            29KB

            MD5

            70aa23c9229741a9b52e5ce388a883ac

            SHA1

            b42683e21e13de3f71db26635954d992ebe7119e

            SHA256

            9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

            SHA512

            be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

            Download Submit

          • memory/556-77-0x0000016D3C450000-0x0000016D3C451000-memory.dmp

            Filesize

            4KB

            Download

          • memory/556-45-0x0000016D34040000-0x0000016D34050000-memory.dmp

            Filesize

            64KB

            Download

          • memory/556-61-0x0000016D34140000-0x0000016D34150000-memory.dmp

            Filesize

            64KB

            Download

          • memory/556-79-0x0000016D3C480000-0x0000016D3C481000-memory.dmp

            Filesize

            4KB

            Download

          • memory/556-80-0x0000016D3C480000-0x0000016D3C481000-memory.dmp

            Filesize

            4KB

            Download

          • memory/556-81-0x0000016D3C590000-0x0000016D3C591000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1748-7-0x00000000006B0000-0x00000000006C7000-memory.dmp

            Filesize

            92KB

            Download

          • memory/1748-0-0x00000000006B0000-0x00000000006C7000-memory.dmp

            Filesize

            92KB

            Download

          • memory/4688-8-0x0000000000AB0000-0x0000000000AC7000-memory.dmp

            Filesize

            92KB

            Download

          • memory/4688-33-0x0000000000AB0000-0x0000000000AC7000-memory.dmp

            Filesize

            92KB

            Download