Overview

overview

7

Static

static

7

b9eea739f9...47.exe

windows7-x64

7

b9eea739f9...47.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2024, 23:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b9eea739f932294647908d7df42f9847.exe

  • Size

    35KB

  • MD5

    b9eea739f932294647908d7df42f9847

  • SHA1

    a0fd2e55b635809eed3f8747916ec0003ce14dad

  • SHA256

    30dfe76f996ac5c9d72ea37590a45ff6fe44ca41756efba116fd744e99dadb35

  • SHA512

    943d81d71058a8efc4e086d694cd034f10a83711daf601f9de56c8a0bd82430bd059f91e73cd3425a5a20399c8a328bae585fbd2709251da9fa9a2d4473fbf42

  • SSDEEP

    768:X8Q2ZDX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIom46+Iyf:s9Z3KcR4mjD9r8226+1f

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9eea739f932294647908d7df42f9847.exe
    "C:\Users\Admin\AppData\Local\Temp\b9eea739f932294647908d7df42f9847.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:320

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Hf8AJbq10JdIZsj.exe
          Filesize

          35KB

          MD5

          0fb0770234d06d50a3fd5349bf63da23

          SHA1

          da9a28271b98f9a62ef9c0ae1c9df71cb2b0e265

          SHA256

          f545c19c58bce0eda04abd5b203996b7ccd22a54379e8f1c04dd66b3ae06cd68

          SHA512

          df3d3e876bc7d2927e762ee3fb938cba975ca1501289e03cb4349bf8dcb07b3858388dce5523c41eab31e881901e91433d12363cc7488fae314fe28b19f1c823

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          35KB

          MD5

          93e5f18caebd8d4a2c893e40e5f38232

          SHA1

          fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6

          SHA256

          a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8

          SHA512

          986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

          Download Submit

        • memory/320-12-0x00000000000E0000-0x00000000000F7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2328-0-0x0000000000B40000-0x0000000000B57000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2328-8-0x0000000000B40000-0x0000000000B57000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2328-11-0x0000000000170000-0x0000000000187000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2328-18-0x0000000000170000-0x0000000000187000-memory.dmp

          Filesize

          92KB

          Download