Overview

overview

7

Static

static

7

b79cd78bf2...72.exe

windows7-x64

7

b79cd78bf2...72.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2024 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b79cd78bf2260f39ce8783f622c1d072.exe

  • Size

    35KB

  • MD5

    b79cd78bf2260f39ce8783f622c1d072

  • SHA1

    9c73fb3ec734e9f56edc0d224a1af5905b5048d6

  • SHA256

    6d48a4399aafabf4110a0b624ff21cea51616a6e4ec35c70a762a1b7250e373f

  • SHA512

    7c9f965f9b250d6039f227ebc60adcadc89f3f9fc6a450552764a58534bb18cfbe05157bec770e59ad1c6fb26f1e4c52750ee39b82e827c85f60289932dc6015

  • SSDEEP

    768:X8Q2ZDX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIom46+Is:s9Z3KcR4mjD9r8226+F

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b79cd78bf2260f39ce8783f622c1d072.exe
    "C:\Users\Admin\AppData\Local\Temp\b79cd78bf2260f39ce8783f622c1d072.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
    Filesize

    358KB

    MD5

    74437a89a97a09383513e9896507335b

    SHA1

    765b4ef3aaa66388cb76807d0a6d67814e15631a

    SHA256

    11c9d1e97db94ea2935e57929cf615bb68f549a556ab9f4ed444691b2a647ae1

    SHA512

    9db1eab51aa82a5d622893a0cb2603a607d9e1e3a7cdded4156376d44e4aed702dffd74a9e235257cd0f6c016ad022d3d9f464529b991529e7e311a15c7c58e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\s1deLtA1NxGSWlb.exe
    Filesize

    35KB

    MD5

    06c2d11b4b3fbc0a23bdc8458405c73b

    SHA1

    45a785f2200472337fc26199589d35c88694b884

    SHA256

    44bef6974b2184f0dc5d2aa28db877131739696de05f58a1aa3052386d221f30

    SHA512

    0182bd196dabc53e557f289e030073213fd6c167124349aa9ab53809820e7dc63a33e99ec47d757a0371c066ca917c9ed57b3fae0a7a666cbdc6d35afec1a703

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    35KB

    MD5

    93e5f18caebd8d4a2c893e40e5f38232

    SHA1

    fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6

    SHA256

    a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8

    SHA512

    986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

    Download Submit

  • memory/728-0-0x0000000000310000-0x0000000000327000-memory.dmp

    Filesize

    92KB

    Download

  • memory/728-6-0x0000000000310000-0x0000000000327000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2392-8-0x0000000000E10000-0x0000000000E27000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2392-32-0x0000000000E10000-0x0000000000E27000-memory.dmp

    Filesize

    92KB

    Download