Overview

overview

7

Static

static

7

9818150941...f0.exe

windows7-x64

7

9818150941...f0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9818150941def9842a1b3c98e4794ef0.exe

  • Size

    112KB

  • MD5

    9818150941def9842a1b3c98e4794ef0

  • SHA1

    83e17140a74df518d59b48b5842d743afde6f8be

  • SHA256

    cf342712ac75824579780abdb0e12d7ba9e3d8e93f311e0f3dd5b35f73a6bbc3

  • SHA512

    5e156ae52cd2511055086dfecf93240ef1835839bc2683aeea8fd35089f2ad55da660f8de701fdf9f02bae42afd36dd437323a8612532aab3973a063e23469de

  • SSDEEP

    1536:UcNjQlsWjcd+xzl7SM+Gn8255NeoVKcR4mjD9r823Fl:Xjr87S7Gnz55EoVKcWmjRrz3L

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9818150941def9842a1b3c98e4794ef0.exe
    "C:\Users\Admin\AppData\Local\Temp\9818150941def9842a1b3c98e4794ef0.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\23Sxu1Awxt4TZHs.exe
    Filesize

    112KB

    MD5

    d7270db30a01e708e87a407d6ce37f06

    SHA1

    bc0e63da4d7b1b8924a78677f969df2ed1bb51a6

    SHA256

    7835cd4899b7c67368548cdaaf45e579d53f18e9708bdc20956a971e527309a8

    SHA512

    5ae138fdae5ecb2049e1905d1ca5cd2cc004eb5561080049c7c9243ed979e227b7b3b04e3b9a7567e7429f8c76d5dd510ee2badfa3e71d6e50bf75125adc351b

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    112KB

    MD5

    5dfd082c2449338733617d2b925e5f01

    SHA1

    e214b88aeeb65e5aff724355d958fb4d30d86181

    SHA256

    23f33569da55f7d02da96b7aa6a3d911937118cfff940aa0fc43de644d15dc7b

    SHA512

    7f8303f7f69827c8fe2b2f12d91ad12860b50665d3c981bf2a5bd6c3e0ecc950b4d2f5312d3fd3ae2a7657baefee7ceded0e574a99d86ef6a3f9fac695127f6e

    Download Submit

  • memory/2108-0-0x00000000012C0000-0x00000000012D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2108-8-0x00000000012C0000-0x00000000012D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3048-11-0x0000000000840000-0x0000000000859000-memory.dmp

    Filesize

    100KB

    Download