Overview

overview

7

Static

static

7

78f5b8a688...95.exe

windows7-x64

7

78f5b8a688...95.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2024, 01:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    78f5b8a688028b7c6b38e0a0ba717895.exe

  • Size

    124KB

  • MD5

    78f5b8a688028b7c6b38e0a0ba717895

  • SHA1

    3c7a2cd2092e8373d2999ad5f925217e7a80b3c4

  • SHA256

    188b8b0b5d4245b41cda82e0ad3accddcbb4b38559301f99466faebe72551c0f

  • SHA512

    0bb43090e994b1247704f097f52c000670d76ebd1f7f56aa9d7d090bc7833d640bae90bc24b614ad32d74f1567f9b622f5792f35efb093709224b7341f80900d

  • SSDEEP

    3072:SKcWmjRrz3C94WV4AuZQH1B3imCMPLoJ/RXHfNf:hGmV4TZQLymCMcNRXHfJ

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78f5b8a688028b7c6b38e0a0ba717895.exe
    "C:\Users\Admin\AppData\Local\Temp\78f5b8a688028b7c6b38e0a0ba717895.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2372
    • C:\Users\Admin\AppData\Local\Temp\rKCLCrqRNV9nOiU.exe
      C:\Users\Admin\AppData\Local\Temp\rKCLCrqRNV9nOiU.exe
      2⤵
      • Executes dropped EXE
      PID:4360

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
          Filesize

          352KB

          MD5

          3c581b2ab014ca99a9bf0b33c0e37bd4

          SHA1

          b338a2c9a09f500e23f5bde496982190ec2f4256

          SHA256

          2993a37b6a169da3a3fc7eeef87954c300867c0859a377737ada679b185445dc

          SHA512

          deedc11531d8b37b09d7c4d9c4184602c95dc9fe190099f2f06077e7fe931ab404faaba0cbdca9e16e459d72a81108087dbd8fef9c6cd6859e0a62725701d09e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rKCLCrqRNV9nOiU.exe
          Filesize

          94KB

          MD5

          9a821d8d62f4c60232b856e98cba7e4f

          SHA1

          4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5

          SHA256

          a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525

          SHA512

          1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          29KB

          MD5

          70aa23c9229741a9b52e5ce388a883ac

          SHA1

          b42683e21e13de3f71db26635954d992ebe7119e

          SHA256

          9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

          SHA512

          be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

          Download Submit

        • memory/1028-0-0x0000000000F10000-0x0000000000F27000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1028-9-0x0000000000F10000-0x0000000000F27000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2372-10-0x00000000005A0000-0x00000000005B7000-memory.dmp

          Filesize

          92KB

          Download