Overview

overview

7

Static

static

7

39a9c66899...ca.exe

windows7-x64

7

39a9c66899...ca.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 06:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    39a9c6689932d1c09723336fa4aec3ca.exe

  • Size

    453KB

  • MD5

    39a9c6689932d1c09723336fa4aec3ca

  • SHA1

    f22a22b62ce10134d3fbe3b11ebd06f6063e0853

  • SHA256

    e793f8e95cc4865f81bfc43fe1ededfe9a039de998aea4ea40dd097bb4dc9ebb

  • SHA512

    fd87deead477c6a30aa7daff7117d05fa9f85f9870942b5037e49a0eef34519b1b1ebda50a828ef98f86a91e6eb992db9019f5708bc194ef2b33398e6ac888ff

  • SSDEEP

    12288:6EQoSvqhQCx6N4iJI4wJ41vwNCYCCAkmuOhYBHY9Q36UgfA2J4:60Qi6NsJOYJPmzh+HszJ4

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39a9c6689932d1c09723336fa4aec3ca.exe
    "C:\Users\Admin\AppData\Local\Temp\39a9c6689932d1c09723336fa4aec3ca.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Local\Temp\39a9c6689932d1c09723336fa4aec3ca.exe
      "C:\Users\Admin\AppData\Local\Temp\39a9c6689932d1c09723336fa4aec3ca.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Users\Admin\AppData\Local\Temp\39a9c6689932d1c09723336fa4aec3ca.exe
        "C:\Users\Admin\AppData\Local\Temp\39a9c6689932d1c09723336fa4aec3ca.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2640

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Windows Sidebar\Shared Gadgets\trambling several models .rar.exe
          Filesize

          212KB

          MD5

          9b87557ad2b872b11b7355471f34d76a

          SHA1

          3b50033c9fb0b61b07af0adb9eefc3c8f57ad698

          SHA256

          bcf35c3afddc7d12787de75220f38259229f42b82533295deb6bfad139f378ef

          SHA512

          5e70f69712158023b52896159825068117022ab1f4a1f4eac111e920a4a4c9840f05bb55f5309f6e0cd49fdf3e7e1d4b6651b984a7be73fb1774f72f8e4332b0

          Download Submit

        • C:\debug.txt
          Filesize

          146B

          MD5

          138c6e9458a59138be22a23f3a192ee6

          SHA1

          ea38390e88274a18310fd1cd252c9622f64f5ed7

          SHA256

          7cd48cfa96d6ac3d038a64aa3c47813c450921e779b914ba78b66c312613354e

          SHA512

          cf08af8a94943e07b1356135da646d4a7139fa0e532a7e4dcd78a442d69f890dc957230d120c974db5db1bf397e34997edb3a880264e6615878dba42e56f0e2c

          Download Submit

        • memory/2228-0-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2228-7-0x00000000049D0000-0x00000000049F1000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2228-93-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2640-31-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2640-98-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3064-9-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3064-30-0x0000000004910000-0x0000000004931000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3064-96-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3064-97-0x0000000004910000-0x0000000004931000-memory.dmp

          Filesize

          132KB

          Download