Overview

overview

10

Static

static

10

12bbdee33a...27.exe

windows7-x64

9

12bbdee33a...27.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/04/2024, 19:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    12bbdee33a1c001fb5054778083203457820f5a6ac3aa33626b56be21afb2c27.exe

  • Size

    205KB

  • MD5

    8f4b355a36f67085510a38e53828707e

  • SHA1

    dd7f0bc00aade052dab157a1684c8bdb469484cf

  • SHA256

    12bbdee33a1c001fb5054778083203457820f5a6ac3aa33626b56be21afb2c27

  • SHA512

    ca22aa22ce21f3bc3f23e4f28c3e89f8daa01f07ce54f5c38c367ea5ba2a419946ad2f4679f98b85007701c74cbbb96905916f4128602da5b73ca7c85ac8e17c

  • SSDEEP

    6144:/MAoVN2uNNLVPyxkSHlvoPT+ydNWnZh/WUoSpies4R0y:0AoKPHdmzdNoz/WVSw0R0y

Score
9/10
persistencespywarestealerupx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12bbdee33a1c001fb5054778083203457820f5a6ac3aa33626b56be21afb2c27.exe
    "C:\Users\Admin\AppData\Local\Temp\12bbdee33a1c001fb5054778083203457820f5a6ac3aa33626b56be21afb2c27.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3028

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\k9pYtKI9E2qzXfW.exe
          Filesize

          205KB

          MD5

          b731a9606de85d2e961f69cec8967f99

          SHA1

          db83318df7e8a9946ee50cd05c3506bbb1f3c938

          SHA256

          1b0105aa41e5838b3e3114bf060a3475aaf80fcd8d1d3e5f2d1d0d13d1618b1e

          SHA512

          e0176a43f60fea05e58ffc0f8dde0267a5a1b940c8dbfcc42474d4cfa5c77b11881e92166c5183a970a76dc4f53e3fbe8973955b4f662e7b9cbe48e22cb7444c

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          27KB

          MD5

          a6749b968461644db5cc0ecceffb224a

          SHA1

          2795aa37b8586986a34437081351cdd791749a90

          SHA256

          720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

          SHA512

          2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

          Download Submit

        • memory/2320-0-0x0000000000920000-0x0000000000938000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2320-8-0x0000000000920000-0x0000000000938000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2320-11-0x0000000000170000-0x0000000000188000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2320-18-0x0000000000170000-0x0000000000188000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3028-12-0x0000000000AF0000-0x0000000000B08000-memory.dmp

          Filesize

          96KB

          Download