Overview

overview

7

Static

static

7

a222520574...d0.exe

windows7-x64

7

a222520574...d0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    24-02-2024 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2225205742586130c18d1f65e2688d0.exe

  • Size

    369KB

  • MD5

    a2225205742586130c18d1f65e2688d0

  • SHA1

    59e5c184419736a9a05e63ab574f6db422573037

  • SHA256

    300e447312373cb4ed1dbfab0b84a49ef7da51697a9e289441900177087dfd56

  • SHA512

    cf575794cc7e7633bab5a4559cbad51327b10100dcaeddce7e8dca469689d06fbc636a822ddb92e90ccd46a5f1f17ceed86397296ec4f51daea306116e88b322

  • SSDEEP

    6144:/PtDM7Wr7HeWjgkRbMJ401RNocTNhrERPu0onIPdb9uPoBJn0EMy2BRsrEk0l6oA:/I7WXR4PRbTwRm0vFwwBJn0EMyMRsQkV

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2225205742586130c18d1f65e2688d0.exe
    "C:\Users\Admin\AppData\Local\Temp\a2225205742586130c18d1f65e2688d0.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Users\Admin\AppData\Local\Temp\dlyg6hcb1D1j04L.exe
      C:\Users\Admin\AppData\Local\Temp\dlyg6hcb1D1j04L.exe
      2⤵
      • Executes dropped EXE
      PID:2912
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dlyg6hcb1D1j04L.exe
    Filesize

    369KB

    MD5

    399ebd519b184de9e670755b253ed9fa

    SHA1

    dbaeca744125d4f203ea22388189fcbc66586714

    SHA256

    c798ebc9ac8c48561d6776118ad0b9a36ec10d67bc0bfb386bf24ddd434dd72b

    SHA512

    902dff9fc255015ccbd658b36ce4fb67bc4271ff2abf7fe92c907ec0b6cc6c21f92e100941e0ea68fa056b4bba5c7f92911f6a0c66e7fdf08d536bf88c7a599a

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    35KB

    MD5

    93e5f18caebd8d4a2c893e40e5f38232

    SHA1

    fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6

    SHA256

    a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8

    SHA512

    986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

    Download Submit

  • \Users\Admin\AppData\Local\Temp\dlyg6hcb1D1j04L.exe
    Filesize

    334KB

    MD5

    f310d4e936b68a5d76b7b808507e99f9

    SHA1

    6dccf493508f97212688413bec28f86befbff8e2

    SHA256

    58b7e175725ddf68a7a6c891889daaa3b7d4f90c14bfcff287cb3336cbd7da60

    SHA512

    daead56dfdd7b4a7a8fabdc6e12144273aae244aa90817d76281e5a7414e3f07ca2761f481bda91a47fc3c1c911ff1783e7421e566e3b3fc59b443de141d9e5d

    Download Submit

  • memory/2832-1-0x0000000001070000-0x0000000001087000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2832-15-0x0000000000080000-0x0000000000097000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2832-12-0x0000000000080000-0x0000000000097000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2832-11-0x0000000001070000-0x0000000001087000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2832-22-0x0000000000080000-0x0000000000097000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2944-16-0x0000000000370000-0x0000000000387000-memory.dmp

    Filesize

    92KB

    Download