Overview

overview

7

Static

static

7

b841b4f446...65.exe

windows7-x64

7

b841b4f446...65.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-03-2024 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b841b4f44614bc42302046edb5f9a865.exe

  • Size

    36KB

  • MD5

    b841b4f44614bc42302046edb5f9a865

  • SHA1

    bb76a653b4bb958befc061017b5321200d25a353

  • SHA256

    80349de34de818495a5eadf4bab5c76dadac47447060b817e3b3a94737e5fa93

  • SHA512

    d01266b587cbb2c54360491dd88717dc4c291430c419eab28e7ddf13318c71ebcd52a720cf859b254c565016dbe394eb50586a217a230c90d5b7eaad9c2f98d0

  • SSDEEP

    768:X8Q2ZDX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIom46+IdxS:s9Z3KcR4mjD9r8226+eI

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b841b4f44614bc42302046edb5f9a865.exe
    "C:\Users\Admin\AppData\Local\Temp\b841b4f44614bc42302046edb5f9a865.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3644
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
    Filesize

    358KB

    MD5

    09b623defc30f245d66ecb8469e1860b

    SHA1

    0366f962502b08b246bb80dfc5e9ec6be31b3dac

    SHA256

    d558ccac739b75f48b099b2d97d0a0ba92fc7858e9a6e16db3bc238b468510b1

    SHA512

    e6e90e1b4d1161a976c28da12f41b6f09eb71fbf94d79a39124240a4c3fa60a5927415274c16cb6882182194b6a66988076dc5208a94bea4ad17c5800bc47a4c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2d9RHzbPjmLYtBh.exe
    Filesize

    36KB

    MD5

    a9803bf5109c45770cf25279681b3154

    SHA1

    97476c078d01dd99c80d31cc81b892f634a5cbe6

    SHA256

    aee7ad852c567f90435d5aa7ee8d547d276fd7a5b142ccf3d22327a9edc647ee

    SHA512

    fe410ad05140c580df542fc68122dc369f9abdfe3b4574d0ba506a204d3cc24fee2da6fd2df3c1bcc085707baac25229f74a9b5c0f9b93decf82ae3cc50831fd

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    35KB

    MD5

    93e5f18caebd8d4a2c893e40e5f38232

    SHA1

    fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6

    SHA256

    a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8

    SHA512

    986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

    Download Submit

  • memory/3644-0-0x0000000000660000-0x0000000000677000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3644-7-0x0000000000660000-0x0000000000677000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4744-9-0x00000000002B0000-0x00000000002C7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4744-35-0x00000000002B0000-0x00000000002C7000-memory.dmp

    Filesize

    92KB

    Download