b97c99f271cb2d218762fe38061ac11774f5135d95bf8945e4d45dbd60e69d57

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74f5550fe4a304944f614d859e3e7004.exe
Size

250KB
MD5

74f5550fe4a304944f614d859e3e7004
SHA1

b53a9617b8e00dabbcb10f7592201f09f8828897
SHA256

b97c99f271cb2d218762fe38061ac11774f5135d95bf8945e4d45dbd60e69d57
SHA512

5c7acdbb3c4ef6435d60b4026ca751ed58c074cb9d1edee08e6d8a53d3611b14cd8f3a7eda798e924bc4f9f73438120ae55749fa21d058de37ff127ef898d258
SSDEEP

6144:BJeIKwbHlRIVao7OtIgV9cwfyGBaPihEiWg8jnCV7pQVRp+mfsg6:zNLIVao7XgV9cwfboiui7uCV7eRpp56

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

3.exe

pid process

2468 3.exe
Loads dropped DLL 2 IoCs

Processes:

74f5550fe4a304944f614d859e3e7004.exe

pid process

828 74f5550fe4a304944f614d859e3e7004.exe
828 74f5550fe4a304944f614d859e3e7004.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2468	3.exe

pid	process
828	74f5550fe4a304944f614d859e3e7004.exe
828	74f5550fe4a304944f614d859e3e7004.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/828-0-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/828-12-0x0000000000400000-0x00000000004B2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

74f5550fe4a304944f614d859e3e7004.exe

description	pid	process	target process
PID 828 wrote to memory of 2468	828	74f5550fe4a304944f614d859e3e7004.exe	3.exe
PID 828 wrote to memory of 2468	828	74f5550fe4a304944f614d859e3e7004.exe	3.exe
PID 828 wrote to memory of 2468	828	74f5550fe4a304944f614d859e3e7004.exe	3.exe
PID 828 wrote to memory of 2468	828	74f5550fe4a304944f614d859e3e7004.exe	3.exe

C:\Users\Admin\AppData\Local\Temp\74f5550fe4a304944f614d859e3e7004.exe
"C:\Users\Admin\AppData\Local\Temp\74f5550fe4a304944f614d859e3e7004.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
2⤵
- Executes dropped EXE
PID:2468

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3.exe
Filesize
64KB

MD5
0cdd88da0518baa38dbc64cdf0d58d3b

SHA1
a2cf28a9887e8f8f470726336393facd4d1692a3

SHA256
e54fb011fe1c603f5951b87252ae2fa31a44cd109b49ded765eeacf14232c32c

SHA512
3f81d3343c42c79218270fd5b6ad0c93a0df36fe6d6e3f30fdeb336296ea6278bc9dd3562bd2efd0f8dfc32448b6090af15c69a9537ccd7d07f1ad9c0272c4a7

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe
Filesize
190KB

MD5
7503edeaf4d14bc163816dba96e4ac84

SHA1
8f7dd9410172735d2f80b342bf58cd2591bc8867

SHA256
2b5a469bd682378651b1c097864b67bfba6c0db81621c129b96bbfc1d761216b

SHA512
b8a8f8859e46c80f9301bcb9290d260ce03ff7550044c4ad9e096dd55606acf058a57d326f36a22a5038fca94f17265384e4478a9bb29202b804e52463d2e552

Download Submit
\Users\Admin\AppData\Roaming\3.exe
Filesize
344KB

MD5
3dc0297d7b73ebd1e539bf0a9c2683d5

SHA1
656ab0f04c78535abf603a406ab1669af4896f78

SHA256
22c43e3be6002557aa21246fccfc551f34e5d8c661cd43bfcf01e07d1d624537

SHA512
ee76a5fde06f9038d7dc6f850291c7ac80765bc4e0f07ec171a50452d7dc8b97679808db120473b3ff87146fe6cbb0d274d89aadd8524513b6673eb0d80edf3e

Download Submit
memory/828-0-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/828-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download