Overview

overview

10

Static

static

3

eeeeeeeeee...00.exe

windows7-x64

eeeeeeeeee...00.exe

windows10-2004-x64

eeeeeeeeee...um.exe

windows7-x64

10

eeeeeeeeee...um.exe

windows10-2004-x64

10

eeeeeeeeee...ug.exe

windows7-x64

6

eeeeeeeeee...ug.exe

windows10-2004-x64

6

eeeeeeeeee...le.exe

windows7-x64

1

eeeeeeeeee...le.exe

windows10-2004-x64

1

eeeeeeeeee...er.exe

windows7-x64

7

eeeeeeeeee...er.exe

windows10-2004-x64

7

eeeeeeeeee...us.exe

windows7-x64

1

eeeeeeeeee...us.exe

windows10-2004-x64

1

MEMZ 3.0/MEMZ.bat

windows7-x64

7

MEMZ 3.0/MEMZ.bat

windows10-2004-x64

7

MEMZ 3.0/MEMZ.exe

windows7-x64

6

MEMZ 3.0/MEMZ.exe

windows10-2004-x64

7

eeeeeeeeee...MZ.bat

windows7-x64

7

eeeeeeeeee...MZ.bat

windows10-2004-x64

7

eeeeeeeeee...MZ.exe

windows7-x64

6

eeeeeeeeee...MZ.exe

windows10-2004-x64

7

eeeeeeeeee...ld.exe

windows7-x64

3

eeeeeeeeee...ld.exe

windows10-2004-x64

3

eeeeeeeeee....A.exe

windows7-x64

6

eeeeeeeeee....A.exe

windows10-2004-x64

6

eeeeeeeeee...al.exe

windows7-x64

7

eeeeeeeeee...al.exe

windows10-2004-x64

8

eeeeeeeeee...15.exe

windows7-x64

3

eeeeeeeeee...15.exe

windows10-2004-x64

3

eeeeeeeeee...al.exe

windows7-x64

7

eeeeeeeeee...al.exe

windows10-2004-x64

8

eeeeeeeeee...0r.exe

windows7-x64

10

eeeeeeeeee...0r.exe

windows10-2004-x64

10

Resubmissions

15-09-2024 23:12

240915-27aqvsxhjq 8

15-09-2024 23:02

240915-21efgaxake 8

15-09-2024 22:58

240915-2xypyaxdkj 3

15-09-2024 22:56

240915-2wn44sxcpk 3

15-09-2024 22:43

240915-2np2fawhpr 3

15-09-2024 22:42

240915-2m3k5swhmk 10

15-09-2024 22:33

240915-2gqdmawbja 8

15-09-2024 22:27

240915-2de4gswekk 7

15-09-2024 22:15

240915-16esravenh 10

Analysis

  • max time kernel
    1820s
  • max time network
    1163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2024 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Central/[email protected]

  • Size

    904KB

  • MD5

    0315c3149c7dc1d865dc5a89043d870d

  • SHA1

    f74546dda99891ca688416b1a61c9637b3794108

  • SHA256

    90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9

  • SHA512

    7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

  • SSDEEP

    24576:bnQv6Dyxn2Qx0KHizHWKxHuyCcZFyXR1tG:2OE2QtCzhh/7R

Score
8/10
persistencespywarestealerupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 58 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Security Central\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Security Central\[email protected]"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Security Central\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Security Central\[email protected]"
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Program Files (x86)\Security Central\Security Central.exe
        "C:\Program Files (x86)\Security Central\Security Central.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5100
        • C:\Program Files (x86)\Security Central\Security Central.exe
          "C:\Program Files (x86)\Security Central\Security Central.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:4552
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:228
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:4088
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2756
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3884
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1988
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1640
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:400
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3272
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3480
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies registry class
      PID:1016
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
    1⤵
      PID:1624
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
        PID:4164
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
        1⤵
          PID:1196
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x30c 0x3bc
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3380

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Security Central\Security Central.exe
          Filesize

          904KB

          MD5

          0315c3149c7dc1d865dc5a89043d870d

          SHA1

          f74546dda99891ca688416b1a61c9637b3794108

          SHA256

          90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9

          SHA512

          7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
          Filesize

          471B

          MD5

          a40c31078f3fd7182239be30c4323571

          SHA1

          3043f50ca078c74d5b838b9a92ad14aa6666ba4d

          SHA256

          fce3d27f11da8815145ec6d77495d0cb93db99ba1289301db7c8946e427fd64e

          SHA512

          1aa91b27c24084bc4fb340fe0427c02fae980402eff909501a037f656d651f49f56d5a83801fb5e06ea3eaa4a63056557e77b116dc857eccd048164aaec7d5aa

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
          Filesize

          412B

          MD5

          150dab138b16417424ccbb4955fea397

          SHA1

          042c15fdf6bd0abf9d712d78a08b6e8fc6a57206

          SHA256

          254e52e4d2a3a49e0e250e75453d4897b237d20c854eed102880bb07f0aaeb2f

          SHA512

          f7244e271ffa667028d989853ca577943a86512bd9e29194caaccb8e8a626bb3b07a0b70c4095cae2b474639a9fce8cedc6ff41bb8176fbe7c05868ee756d8b5

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
          Filesize

          1022B

          MD5

          8da87e9808007b3fef83a9ca1ad4764b

          SHA1

          e20317197272ac0dd55a6d60c494e6ac2e21f63e

          SHA256

          77605516638607e85c28724b36805738ae70f87c20da27235a41e82e4bb263f0

          SHA512

          5daff93ad22b32c0c0b34b15ee83bb3bb5793d7f4010cb9f17a97064512c7b3c72ec076c4d65381aefdc2894bdb73e4c41119ca462f84aaff4bca28ea2fc0eb0

          Download Submit

        • C:\Users\Admin\Desktop\Security Central.lnk
          Filesize

          1KB

          MD5

          11d71666c5057a41f962e6ab92fa2f0e

          SHA1

          0c52e63ba6c37ca64897b0a4bb98e8f93276395d

          SHA256

          1ba869045cfccc684fa6431ceb97bcf0dbe21b2fafeaf4a5aaba3ee253a8948b

          SHA512

          a2443a6ef73f3d57a3b3a248ade08d614c91af34d83cda4b291063b2d3ff30a21e9da50c0070b1fd54fddd08aa471d3d75247587c0604413e7a74e341bd494d0

          Download Submit

        • memory/1988-38-0x0000000004D40000-0x0000000004D41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3136-6-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/3136-20-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/3136-2-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/3136-7-0x0000000000F20000-0x0000000000F21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3136-5-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/3136-4-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/3480-49-0x0000000004B90000-0x0000000004B91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4552-62-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-68-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-30-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-33-0x0000000000B30000-0x0000000000B31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4552-29-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-28-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-24-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-23-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-45-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-47-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-22-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-51-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-52-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-54-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-55-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-56-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-57-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-58-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-59-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-60-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-61-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-19-0x0000000000B30000-0x0000000000B31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4552-63-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-64-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-65-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-66-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-67-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-31-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-69-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-70-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-71-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-72-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-73-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-74-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-75-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-76-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-77-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-78-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-79-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-80-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-81-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-82-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-83-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-84-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-85-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-86-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-87-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-88-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-89-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-90-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-91-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-92-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-93-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-94-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4552-95-0x0000000000400000-0x0000000000A35000-memory.dmp

          Filesize

          6.2MB

          Download