Overview

overview

10

Static

static

3

68a2b5fbaf...6e.exe

windows7-x64

10

68a2b5fbaf...6e.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2024, 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68a2b5fbaf47a4233e11a9d0451da56e.exe

  • Size

    279KB

  • MD5

    68a2b5fbaf47a4233e11a9d0451da56e

  • SHA1

    f954699b281b2637a6eb067a73f7a4910145564e

  • SHA256

    e554ff8040da714063734dc2926e89e8efc2675a567026581c137f447260eed0

  • SHA512

    cbacd2d13a40efe58872b2e54ce6fcbab13c9b427b64b5f66b3cdad6e83f51c24cf281f66f8f77d6c2309b747eecf6e29b1517c661d4665a2324e7acbfbe0bd6

  • SSDEEP

    6144:ZeTFL7AAK0D9ZrKeGaOeDKAZZtWlLFpnKOzWKPAAQ2o5dy5d6x:ZwpK0bfGWJDtWnh9eAQ20X

Score
10/10
discoveryevasionpersistencespywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\68a2b5fbaf47a4233e11a9d0451da56e.exe
    "C:\Users\Admin\AppData\Local\Temp\68a2b5fbaf47a4233e11a9d0451da56e.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\68a2b5fbaf47a4233e11a9d0451da56e.exe
      C:\Users\Admin\AppData\Local\Temp\68a2b5fbaf47a4233e11a9d0451da56e.exe startC:\Users\Admin\AppData\Roaming\37A09\F970A.exe%C:\Users\Admin\AppData\Roaming\37A09
      2⤵
        PID:2964
      • C:\Users\Admin\AppData\Local\Temp\68a2b5fbaf47a4233e11a9d0451da56e.exe
        C:\Users\Admin\AppData\Local\Temp\68a2b5fbaf47a4233e11a9d0451da56e.exe startC:\Program Files (x86)\09C2A\lvvm.exe%C:\Program Files (x86)\09C2A
        2⤵
          PID:2300
        • C:\Program Files (x86)\LP\0AA3\D826.tmp
          "C:\Program Files (x86)\LP\0AA3\D826.tmp"
          2⤵
          • Executes dropped EXE
          PID:1480
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1476

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\37A09\9C2A.7A0
        Filesize

        1KB

        MD5

        fd473b3424e7d72a7bbaf17e48028936

        SHA1

        d67663db26d92b1773b30908dd56981c392815bb

        SHA256

        3a07dbf6cbf52d19c075af15d956bf6fe71371539afebc4c15084e5998852e1b

        SHA512

        66d08f8cfd7b5b696f584d3613cefc241da0aa292aca6f7d6eb3fc228cc7fe39711306c64b5f5e67a500e7713860121a4dd9a11a494ea48c38b77c5ea9e7f938

        Download Submit

      • C:\Users\Admin\AppData\Roaming\37A09\9C2A.7A0
        Filesize

        600B

        MD5

        187a7f71a938c44ef676752790e5ca53

        SHA1

        5ea38a02e6e4a700d2ea2d0ee44b3f92f53001d3

        SHA256

        027ce7c73729aa8323c96f54690cad905c50ab796e18c5ccece165f886f19c53

        SHA512

        61727cc1c1333bf4cf9e188afe843e37f3f854341ee7da17c27a2288e6820f8b925324d8324ade1cf532df393c623cad08793a2fd9dca6b1d22f5eb90b27343d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\37A09\9C2A.7A0
        Filesize

        1KB

        MD5

        d4a0a021d012f2a09e63700c0ef7568d

        SHA1

        b28f3a443cb193f9062c454da38642ab88becc70

        SHA256

        1add7377e1977fb819952e3da1e12c1c4f0d8ddc5436454fc809180fafb7f8dd

        SHA512

        492f3fbc06a3f3d968eaab86dd57dde93587c20c8e03a9bdd5fd7daf6638ad7b0d1e46225419f4ebd758226a184418329e1a00105b5e1c0951731cee76d6911b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\37A09\9C2A.7A0
        Filesize

        996B

        MD5

        1ba8a6da6e0219cc1d659d0c839bfa09

        SHA1

        027e0fb1e7ee8578881b63b535132cba15daa329

        SHA256

        bbb1d5f9be2a636c5101abc8032049e2176d45f07f9c10940abd7a0516e83343

        SHA512

        6e62617ba83c40120240e7d7b0849ea81e2c1bea9e135cfca7e9b322759773de2be43ebc1aa4d2f7841bf7bd99d6d4ba432e5b4cbc739ce168f156005a97a9a4

        Download Submit

      • \Program Files (x86)\LP\0AA3\D826.tmp
        Filesize

        97KB

        MD5

        f1dc7cf1cc0a34caaf5a8ccca9d01787

        SHA1

        98cd26168c49e0ede4ed8b9ca7cc028e8312ed25

        SHA256

        9fe17ce1615530fe95840eb575a7208f44c3291a5211d86428adb2a289514165

        SHA512

        d8b4e91b06a46aa5f9ae10307e5e3340ae9bacc6453d3dfcbf0f3585cfb7f339ed46a4ed63da03051832d69d1fb34c0aadd6096a095ed436d8fe799896759c00

        Download Submit

      • memory/1476-212-0x0000000004250000-0x0000000004251000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1476-206-0x0000000004250000-0x0000000004251000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1480-169-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1480-207-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1480-170-0x0000000000540000-0x0000000000640000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2220-84-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2220-85-0x0000000001CC0000-0x0000000001DC0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2220-213-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2220-2-0x0000000001CC0000-0x0000000001DC0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2220-15-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2220-168-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2220-1-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2300-83-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2300-81-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2300-82-0x0000000001DC0000-0x0000000001EC0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2964-13-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2964-14-0x0000000001BC0000-0x0000000001C07000-memory.dmp

        Filesize

        284KB

        Download