1e0e3286fc42990da65ebb86e421a41f020f750a657d1257e221f7d2e19d5430

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

751aa92eb84f2498cff9054af3cd3646.exe
Size

936KB
MD5

751aa92eb84f2498cff9054af3cd3646
SHA1

bf75b832f192821ce890ee87ccc4d71d48d7eec2
SHA256

1e0e3286fc42990da65ebb86e421a41f020f750a657d1257e221f7d2e19d5430
SHA512

cbe4c36e4420086cda17f17a78258cceb0a508ad422d3f345d0580c8993394fa3856b32f12e534db4f101f967d1a781d8f59720c387e0995699cb45a81beec88
SSDEEP

24576:59GgrW1jF6aD6buUlyxMd+BmK5CXJ9D2ND:7GJtSByySmeCZc

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
788	Run32.exe
568	Run32.exe

Loads dropped DLL 6 IoCs

pid	Process
1384	751aa92eb84f2498cff9054af3cd3646.exe
1384	751aa92eb84f2498cff9054af3cd3646.exe
1384	751aa92eb84f2498cff9054af3cd3646.exe
1384	751aa92eb84f2498cff9054af3cd3646.exe
1384	751aa92eb84f2498cff9054af3cd3646.exe
788	Run32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1384-0-0x0000000000400000-0x0000000000D7F000-memory.dmp	upx
behavioral1/files/0x000e00000001224d-32.dat	upx
behavioral1/files/0x000e00000001224d-30.dat	upx
behavioral1/files/0x000e00000001224d-34.dat	upx
behavioral1/files/0x000e00000001224d-27.dat	upx
behavioral1/files/0x000e00000001224d-24.dat	upx
behavioral1/memory/1384-36-0x0000000000400000-0x0000000000D7F000-memory.dmp	upx
behavioral1/memory/788-38-0x0000000000400000-0x0000000000D7F000-memory.dmp	upx
behavioral1/files/0x000e00000001224d-22.dat	upx
behavioral1/files/0x000e00000001224d-20.dat	upx
behavioral1/memory/788-59-0x0000000000400000-0x0000000000D7F000-memory.dmp	upx
behavioral1/files/0x000e00000001224d-57.dat	upx
behavioral1/files/0x000e00000001224d-42.dat	upx
behavioral1/files/0x000e00000001224d-41.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Run32.dll = "C:\\Users\\Admin\\AppData\\Roaming\\Run32.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 788 set thread context of 568	788	Run32.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1384	751aa92eb84f2498cff9054af3cd3646.exe
788	Run32.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1992	1384	751aa92eb84f2498cff9054af3cd3646.exe	28
PID 1384 wrote to memory of 1992	1384	751aa92eb84f2498cff9054af3cd3646.exe	28
PID 1384 wrote to memory of 1992	1384	751aa92eb84f2498cff9054af3cd3646.exe	28
PID 1384 wrote to memory of 1992	1384	751aa92eb84f2498cff9054af3cd3646.exe	28
PID 1992 wrote to memory of 604	1992	cmd.exe	30
PID 1992 wrote to memory of 604	1992	cmd.exe	30
PID 1992 wrote to memory of 604	1992	cmd.exe	30
PID 1992 wrote to memory of 604	1992	cmd.exe	30
PID 1384 wrote to memory of 788	1384	751aa92eb84f2498cff9054af3cd3646.exe	31
PID 1384 wrote to memory of 788	1384	751aa92eb84f2498cff9054af3cd3646.exe	31
PID 1384 wrote to memory of 788	1384	751aa92eb84f2498cff9054af3cd3646.exe	31
PID 1384 wrote to memory of 788	1384	751aa92eb84f2498cff9054af3cd3646.exe	31
PID 788 wrote to memory of 568	788	Run32.exe	32
PID 788 wrote to memory of 568	788	Run32.exe	32
PID 788 wrote to memory of 568	788	Run32.exe	32
PID 788 wrote to memory of 568	788	Run32.exe	32
PID 788 wrote to memory of 568	788	Run32.exe	32
PID 788 wrote to memory of 568	788	Run32.exe	32
PID 788 wrote to memory of 568	788	Run32.exe	32
PID 788 wrote to memory of 568	788	Run32.exe	32
PID 788 wrote to memory of 568	788	Run32.exe	32
PID 788 wrote to memory of 568	788	Run32.exe	32

C:\Users\Admin\AppData\Local\Temp\751aa92eb84f2498cff9054af3cd3646.exe
"C:\Users\Admin\AppData\Local\Temp\751aa92eb84f2498cff9054af3cd3646.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZhIYf.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Run32.dll" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Run32.exe" /f
    3⤵
    - Adds Run key to start application
    PID:604
- C:\Users\Admin\AppData\Roaming\Run32.exe
  "C:\Users\Admin\AppData\Roaming\Run32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Users\Admin\AppData\Roaming\Run32.exe
    C:\Users\Admin\AppData\Roaming\Run32.exe
    3⤵
    - Executes dropped EXE
    PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZhIYf.bat

Filesize
134B

MD5
52dd81881fa3a9e2f376bb73bde15b00

SHA1
9440375fb9fb0368f982754f76e2efd295b25463

SHA256
a937077f0e234149b1e15e413d33c9f55ad3f427be87d806719c96b3b95209a2

SHA512
80c8f687f6c58bd0549c29e7df64fa5585fa877ac5505a72772ba0cae44b01397bd4e2c217681f8662ea5aff69f115c3fbc306c6b1c3e33d9089aa4f887d2fb0

Download Submit
C:\Users\Admin\AppData\Roaming\Run32.exe

Filesize
419KB

MD5
ee13bf6bc5c8dd82d3fb2eeeb1ae9a67

SHA1
f93996088bae22f14ef95277d6a8d0dc42fdb7a6

SHA256
70e185ac5c3d40ce101cd970b107b58301fd41616a33c9272957f487180127f0

SHA512
18624dd928dc499a1b49a852d8a466e8dc89b5657ed23a79482d4d676fd5013ee45dd977d1542841bd2dfddbba01cb59e74323a96df9ce3921754c533ac0ac84

Download Submit
C:\Users\Admin\AppData\Roaming\Run32.exe

Filesize
447KB

MD5
aa5aadde287e80753b67e2ff27ce55c9

SHA1
98e8a1e05abdac9cc89217121823f973f150c750

SHA256
374fe94ed51b640595a661c6f83d5f6d2fe27483175cc7c19ec031a2744a634b

SHA512
50d485a2ff5c3825e8c0f81b36e6bbd7fbc43f0d87c7b6526e18f3552c7114a20e329f929fbbd3cb85adda80db79441d62988e999fd9500228cdb3edf12cfe62

Download Submit
C:\Users\Admin\AppData\Roaming\Run32.exe

Filesize
417KB

MD5
26f4a380192b5057e219984b5ef0ecc5

SHA1
368d26ac93a1aafdac8ef8ddef4c89ce5831628f

SHA256
75371d37a308b053488ffdbbff64fbb22bc20b09e089790a02df67024bb1694a

SHA512
9ac36eb963d53867d668bc6956e5d8f1aa7fb0060b182ea5b57c403d6b853c8517f2b72c7492fbf7e124a2add124551f97eb5825b4ce6be3f0f3893947ef8891

Download Submit
C:\Users\Admin\AppData\Roaming\Run32.exe

Filesize
292KB

MD5
7e92ed538007f8e30873eeccfff329e6

SHA1
14ed4bcadc0be9b428c8766ad6b40681dfbf97cf

SHA256
68f988e14b27658877dfc5c77c286637a6bd765594a21fe5a5c8d23558a6c74f

SHA512
8eefd0ecf75dfbda3c1ff9bdd06a54ec20cfea3928a186f35fede5abf758c969b537c07d28997ae6fc081bfc1f2dfb3bbf4d30cba6b787ddb4d479c802fd89f1

Download Submit
\Users\Admin\AppData\Roaming\Run32.exe

Filesize
445KB

MD5
d868d887dec0b91648debb6880685969

SHA1
00ad0eefab81b3e50baa34568f60aed5253127cf

SHA256
8773c08c41fe70fbde2b2477a54c77269536758ce10c4f08495de17919655ba1

SHA512
d0560813849489cccb06a5d2fb790a6fda003d3dcb62d6e78abcd5848845b29f462f8d9695ed223949e1708ddd4023a7bcd521c3134154fc51dff6eab5d79f7d

Download Submit
\Users\Admin\AppData\Roaming\Run32.exe

Filesize
427KB

MD5
5d922d4ecc9df366e33a41366d02a266

SHA1
dec24c10a4c7673ff504996246706f80b9df5410

SHA256
9d882de1a64f5374e1d680ab11999cd55a5bfd4ae1c059a787ed5cb635a8640c

SHA512
e2479292d9739e129c192b1a9a5d08d3b43c01110a085b36260b6043e3de73bb5a516fa8fd355ed4cda890f32c7bc72eb58676a2c58190b971be5f1b14ffeb3e

Download Submit
\Users\Admin\AppData\Roaming\Run32.exe

Filesize
529KB

MD5
8fd10bc211e653096e865ef8f36097b2

SHA1
18f95e3386e48aa86d2d692c0c9febac928dd3e1

SHA256
e9c982911ad06b790a572a1b75b842878c76e82fc1f1de5889c03cbe67cee04b

SHA512
3714808aef04a7814547a4eebe33a700bb37d60a2deafca4cbef6df21e72d0a7a95daa2a2208dd4d3037e5c43ae85f7f01895cd95a7b9ea3344ccddb7db62ad2

Download Submit
\Users\Admin\AppData\Roaming\Run32.exe

Filesize
421KB

MD5
4120c343367c1ec60fcd18961d9f11a8

SHA1
0e2b22aabc36cfa18d8164bdf73072fa86eabf62

SHA256
5aefe5c56da3bb05d400e9aeca8778f22b50c0303b6c2f926cef9e7086763512

SHA512
5a1d0cefce8ccd7bde79737337dd5e382cfc8ddfb45c524737abee5f42e611eef40cc7fbbac0e1ba073afb32a9ccb1f9ed855442283b9a1af8f5712d99c9b8c4

Download Submit
\Users\Admin\AppData\Roaming\Run32.exe

Filesize
373KB

MD5
0e47e97a234b780f936bb8054990bf8b

SHA1
a1cc432afda942beb3427d09705735b439169f5d

SHA256
3d6c99422bfe355d827e802b3a6d3af5912b04e28711c777471e1421e6fb3195

SHA512
dad485a50d022115db1d952caac97797e1a1dbef13fa14957bf5d4349e2f5dc9caf8a5839e10486b6797679c49dd515de5209565190f507b7b871b4c6e8ebfb0

Download Submit
\Users\Admin\AppData\Roaming\Run32.exe

Filesize
314KB

MD5
9e616b231bfed1229ff7f6aa21bc8bdd

SHA1
945ee78be00f854884033958667e805679e8141e

SHA256
88a5d17f1a60908bd5239b19b7b036904e7e23974f518bd23ba91ba19da4ddc0

SHA512
615effb16b9b3d49c93989ca05423c050575b01c77c184d07c4154da1fe047407e8a8979bdc91b33e4fb8a909fc8cf4d67376111687dbe37b64f7c24cd799f56

Download Submit
memory/568-49-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/568-45-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/568-47-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/568-43-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/568-52-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/568-65-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/568-61-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/568-60-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/568-56-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/568-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/788-59-0x0000000000400000-0x0000000000D7F000-memory.dmp

Filesize
9.5MB

Download
memory/788-50-0x00000000034B0000-0x0000000003E2F000-memory.dmp

Filesize
9.5MB

Download
memory/788-38-0x0000000000400000-0x0000000000D7F000-memory.dmp

Filesize
9.5MB

Download
memory/1384-37-0x00000000041C0000-0x0000000004B3F000-memory.dmp

Filesize
9.5MB

Download
memory/1384-0-0x0000000000400000-0x0000000000D7F000-memory.dmp

Filesize
9.5MB

Download
memory/1384-36-0x0000000000400000-0x0000000000D7F000-memory.dmp

Filesize
9.5MB

Download
memory/1384-35-0x00000000041C0000-0x0000000004B3F000-memory.dmp

Filesize
9.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads