Overview

overview

10

Static

static

10

72cbfe9f01...71.exe

windows7-x64

9

72cbfe9f01...71.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/04/2024, 22:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    72cbfe9f016dac200766811a6e30c5f6ebcfb7c6f47f3c36b6ee81fbf996e471.exe

  • Size

    1.6MB

  • MD5

    5e964017bbed3616e9001e55d781a1c0

  • SHA1

    6f367963b992d829635875f33d2871060756172d

  • SHA256

    72cbfe9f016dac200766811a6e30c5f6ebcfb7c6f47f3c36b6ee81fbf996e471

  • SHA512

    90e8d58d4f58261757137a6f50fb3b5f68091f6a8bec6e8d3fb891a06320064baa6a2099f6393b0ee987ef2938b706e0823189f481cec75e8bbeea4f8b8303ec

  • SSDEEP

    24576:sSL8WPV6dFPfRV3wzY/7kVGC3zRbjJDGzmzD9QPiJLDjp9c0Od3lYNd701:sHWt6bX3TkVGo1bFDG69QP49cerU

Score
9/10
persistencespywarestealerupx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72cbfe9f016dac200766811a6e30c5f6ebcfb7c6f47f3c36b6ee81fbf996e471.exe
    "C:\Users\Admin\AppData\Local\Temp\72cbfe9f016dac200766811a6e30c5f6ebcfb7c6f47f3c36b6ee81fbf996e471.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\AppData\Local\Temp\72cbfe9f016dac200766811a6e30c5f6ebcfb7c6f47f3c36b6ee81fbf996e471.exe
      "C:\Users\Admin\AppData\Local\Temp\72cbfe9f016dac200766811a6e30c5f6ebcfb7c6f47f3c36b6ee81fbf996e471.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Admin\AppData\Local\Temp\72cbfe9f016dac200766811a6e30c5f6ebcfb7c6f47f3c36b6ee81fbf996e471.exe
        "C:\Users\Admin\AppData\Local\Temp\72cbfe9f016dac200766811a6e30c5f6ebcfb7c6f47f3c36b6ee81fbf996e471.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1740

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Windows Sidebar\Shared Gadgets\black handjob trambling several models (Sylvia).rar.exe
          Filesize

          799KB

          MD5

          bd5832d8583e2ba3257e7e4f5ac9199d

          SHA1

          1fdd6b6a9920a4088d6d2ac57996a40bfb432e7b

          SHA256

          ec1b6b9fa73126e78056b1fa9a573d2f0bf73a4392925740532559a6a341c3f3

          SHA512

          8c5e506e6f83d741b3d4980181534cde7db8c9f045b1ffe0bdf478f8c1cd3b2147ec494ebf6d50db9b39c6f73ee15149d040d09c6300a372a4cd31113cddab8f

          Download Submit

        • C:\debug.txt
          Filesize

          183B

          MD5

          8df37d9201de99371b288df39aa71134

          SHA1

          b260aa225ce8b061ae73495b53e4ec39cd692574

          SHA256

          0973a9452c2bb6b433486c78ab8bc61072af16662d355931f3f09c34a04fade8

          SHA512

          0a670c02a7af06af2c9d9ae13315980df3c4733e02533e3957dc30482136422655672ff2aef7a852cfec18cc1de9e75ada4f0890a71be05cdb7af72f09a3644f

          Download Submit

        • memory/1036-0-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1036-47-0x0000000004AF0000-0x0000000004B0C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1036-91-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1036-92-0x0000000004AF0000-0x0000000004B0C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1740-64-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1740-98-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2564-48-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2564-63-0x00000000047C0000-0x00000000047DC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2564-96-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download