Overview

overview

7

Static

static

7

cb48ef0cab...bf.exe

windows7-x64

7

cb48ef0cab...bf.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    15/03/2024, 11:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cb48ef0cab40d3ba58aad515817743bf.exe

  • Size

    59KB

  • MD5

    cb48ef0cab40d3ba58aad515817743bf

  • SHA1

    246bce029647ae11f576afc8184cec57f265545e

  • SHA256

    3aef4d66a8d71047837510b404937748c9275a36c87ae7c32777c539d4c4479e

  • SHA512

    8f74c9cb21df4e877674c67c1fcc79fb4cf54e6e6db7f028cba5b0dc2b3523d5ad229f91cd289e11736e74c0a9567ac3ac75ab8b8a9914190de91293d4aca99a

  • SSDEEP

    768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFGocAX3LKew369lp2z3D:SKcR4mjD9r823FHKcR4mjD9r823FK

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb48ef0cab40d3ba58aad515817743bf.exe
    "C:\Users\Admin\AppData\Local\Temp\cb48ef0cab40d3ba58aad515817743bf.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3064

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\GrV2M6zHbiB01tn.exe
          Filesize

          59KB

          MD5

          a3d2895d5686e827b99472822f324e9b

          SHA1

          c78b865269b79e90d080495ba37bfb9d1b8ce9e7

          SHA256

          7f95e5f61d3e8f210ca98aa4afc7f2d2d856133ea1a4edf6552eff96d3c190e3

          SHA512

          b65bb957a5f5538c1b5bc885c4170d03d8b53870b13cf7ddf536f4f31b454e3e12896ac568431894cfd478cef4e0d26c2d5620d26df69d1310c8e865e60a30f0

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          59KB

          MD5

          5efd390d5f95c8191f5ac33c4db4b143

          SHA1

          42d81b118815361daa3007f1a40f1576e9a9e0bc

          SHA256

          6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74

          SHA512

          720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

          Download Submit

        • memory/1576-0-0x0000000000EC0000-0x0000000000ED7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1576-9-0x0000000000EC0000-0x0000000000ED7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1576-8-0x00000000000E0000-0x00000000000F7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/3064-12-0x00000000009D0000-0x00000000009E7000-memory.dmp

          Filesize

          92KB

          Download