Overview

overview

10

Static

static

10

4b733b1ce6...99.exe

windows7-x64

9

4b733b1ce6...99.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2024, 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b733b1ce688db9ffc76d70ccd703af868d654f8f0dd48a047efa8f4d4a2e999.exe

  • Size

    91KB

  • MD5

    e84c7a9503d07bf74326ee6d36d3e1b2

  • SHA1

    3b9262f7ab13f42b7ce497a9437307793f772fed

  • SHA256

    4b733b1ce688db9ffc76d70ccd703af868d654f8f0dd48a047efa8f4d4a2e999

  • SHA512

    6398d55f027b41c1f66debffa05b1b2fa399a108e38ba7c7a0eebcc13f4a47aacde5c43d432ac7c3014b7b43cb1de09da26d22183412d18c4b15d7e3d15b995d

  • SSDEEP

    1536:N5VzcfA/6LrVpL74gfh16nIartYXG+wHGPYpKx25lZNipbJN0LKdrMd7jHsin:/V2A/gVh74gpgIutG1wmgpRZW0Lqsd

Score
9/10
persistencespywarestealerupx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b733b1ce688db9ffc76d70ccd703af868d654f8f0dd48a047efa8f4d4a2e999.exe
    "C:\Users\Admin\AppData\Local\Temp\4b733b1ce688db9ffc76d70ccd703af868d654f8f0dd48a047efa8f4d4a2e999.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Local\Temp\80k6FdttrH3KQEO.exe
      C:\Users\Admin\AppData\Local\Temp\80k6FdttrH3KQEO.exe
      2⤵
      • Executes dropped EXE
      PID:3000
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml
    Filesize

    27KB

    MD5

    0c90ec8b7b37e2133f89f1ca399da94f

    SHA1

    7352fd9ee4ef532d1153277e448c1d342ae2a2ba

    SHA256

    592170ac866790d1ee4e9c43664748e80cfaf51db02e6b23c2dc1e05eed9cbdd

    SHA512

    0f47de31d47f266e8eb53d0da2f39180601d8d8642f791ab9b30a20c08a72ce9a257c82f8b77e4f4ed73dc8ffe109c75a61345f4032d8b94d41f2c9d19d06560

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\80k6FdttrH3KQEO.exe
    Filesize

    64KB

    MD5

    e97c622b03fb2a2598bf019fbbe29f2c

    SHA1

    32698bd1d3a0ff6cf441770d1b2b816285068d19

    SHA256

    5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160

    SHA512

    db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    27KB

    MD5

    a6749b968461644db5cc0ecceffb224a

    SHA1

    2795aa37b8586986a34437081351cdd791749a90

    SHA256

    720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

    SHA512

    2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

    Download Submit

  • memory/2160-0-0x0000000000F70000-0x0000000000F88000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2160-8-0x0000000000F70000-0x0000000000F88000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2568-10-0x0000000000920000-0x0000000000938000-memory.dmp

    Filesize

    96KB

    Download