Overview

overview

10

Static

static

10

f264b5f97e...4d.exe

windows7-x64

9

f264b5f97e...4d.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/04/2024, 05:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f264b5f97e918889a82f82602983e42a595913c6aafb36889ad04aa6ed1a854d.exe

  • Size

    2.0MB

  • MD5

    3219238bf3f59436c81028d7a201ccd1

  • SHA1

    645f1e9d9c196ec5d42a04414a1d01ee57802360

  • SHA256

    f264b5f97e918889a82f82602983e42a595913c6aafb36889ad04aa6ed1a854d

  • SHA512

    82bf78b1ec51935b367a46862d6db2accbc33324c2b4cfd8a947a7d35e80a4c742426ed4fddcfed526351f4bc4eec6cac5d8fe8fdc9eecba15130def7117346e

  • SSDEEP

    49152:xvSxuGsnYtVLogDJjgHSZIxcH9K4km78Url408:xyuGsnYtVL3DJqhxk1k24v

Score
9/10
persistencespywarestealerupx

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 4 IoCs
  • UPX dump on OEP (original entry point) 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f264b5f97e918889a82f82602983e42a595913c6aafb36889ad04aa6ed1a854d.exe
    "C:\Users\Admin\AppData\Local\Temp\f264b5f97e918889a82f82602983e42a595913c6aafb36889ad04aa6ed1a854d.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Users\Admin\AppData\Local\Temp\f264b5f97e918889a82f82602983e42a595913c6aafb36889ad04aa6ed1a854d.exe
      "C:\Users\Admin\AppData\Local\Temp\f264b5f97e918889a82f82602983e42a595913c6aafb36889ad04aa6ed1a854d.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Users\Admin\AppData\Local\Temp\f264b5f97e918889a82f82602983e42a595913c6aafb36889ad04aa6ed1a854d.exe
        "C:\Users\Admin\AppData\Local\Temp\f264b5f97e918889a82f82602983e42a595913c6aafb36889ad04aa6ed1a854d.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2596
    • C:\Users\Admin\AppData\Local\Temp\f264b5f97e918889a82f82602983e42a595913c6aafb36889ad04aa6ed1a854d.exe
      "C:\Users\Admin\AppData\Local\Temp\f264b5f97e918889a82f82602983e42a595913c6aafb36889ad04aa6ed1a854d.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2528

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Windows Sidebar\Shared Gadgets\nude hot (!) cock .rar.exe
          Filesize

          118KB

          MD5

          9d5bc28e8d9634570e07d8b48c1e5637

          SHA1

          04458e897f061a63e60ad4d7141e5782e0f40ed5

          SHA256

          b82c899d286bb2f677b173503fcce749eb74137f923a1bfa3c5d2f3f3f8d3dae

          SHA512

          3192d4d6328c78090d21298a572aad2b4869da956abc92ccff577864fb16225c8a801f308e6db8fb16e3f7f8c90af3e844c4fd404b22e5d46f53a3da9ef93e08

          Download Submit

        • C:\debug.txt
          Filesize

          183B

          MD5

          1469acb35c54bb3570623110f6c8aa78

          SHA1

          4a383f11555fbf48a40d158d16be259826b15588

          SHA256

          e2f7995bb51e71956b0948e3bdf7af23df32e3eed9aa5191569042283f4a8ab6

          SHA512

          5940a6144caaef896349876e48a35121797e8af503eded4221b7d5a759f358630d9c320a43c8ce21c552139e96861b3689c779bf8d85db4a20dc5edcd38d4f65

          Download Submit

        • memory/2528-67-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2596-68-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2768-0-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2768-22-0x0000000005990000-0x00000000059B0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2768-65-0x00000000059A0000-0x00000000059C0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2768-97-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2768-98-0x0000000005990000-0x00000000059B0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2988-23-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2988-63-0x0000000004900000-0x0000000004920000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2988-101-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download