Overview

overview

10

Static

static

10

1d5bc596f4...86.exe

windows7-x64

9

1d5bc596f4...86.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2024, 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d5bc596f4266425e1af0b30d1c6a5cc9e3ef0a97afbda9731cfe26b6bca2d86.exe

  • Size

    741KB

  • MD5

    8129a90dd552d872b0f5c28352ca440f

  • SHA1

    20a960cee6f1f09097b70fa6a1b78d50645a539f

  • SHA256

    1d5bc596f4266425e1af0b30d1c6a5cc9e3ef0a97afbda9731cfe26b6bca2d86

  • SHA512

    9f0c70042bbb88d38453aecdb86ee33e0a8c6680721ea78654a5d583f9d4d2354278f3b03ed5beafee07e60e29f08c6d13e93911897da882d6982a747e3faf8b

  • SSDEEP

    12288:A8EQoSMk5vbmyp03siuai5hYLVaaaKeLCdmP7I7nyjc/skq54d/TmXrv1D4cIizY:A8L5vyyp03Xbi5hYxaaaKxdq0H/z/mbs

Score
9/10
persistencespywarestealerupx

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 17 IoCs
  • UPX dump on OEP (original entry point) 20 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d5bc596f4266425e1af0b30d1c6a5cc9e3ef0a97afbda9731cfe26b6bca2d86.exe
    "C:\Users\Admin\AppData\Local\Temp\1d5bc596f4266425e1af0b30d1c6a5cc9e3ef0a97afbda9731cfe26b6bca2d86.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Users\Admin\AppData\Local\Temp\1d5bc596f4266425e1af0b30d1c6a5cc9e3ef0a97afbda9731cfe26b6bca2d86.exe
      "C:\Users\Admin\AppData\Local\Temp\1d5bc596f4266425e1af0b30d1c6a5cc9e3ef0a97afbda9731cfe26b6bca2d86.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Users\Admin\AppData\Local\Temp\1d5bc596f4266425e1af0b30d1c6a5cc9e3ef0a97afbda9731cfe26b6bca2d86.exe
        "C:\Users\Admin\AppData\Local\Temp\1d5bc596f4266425e1af0b30d1c6a5cc9e3ef0a97afbda9731cfe26b6bca2d86.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\german kicking sleeping glans .rar.exe
    Filesize

    2.1MB

    MD5

    cb122888a837dac26b0d4671e2c4af95

    SHA1

    47bfcc889d1c5067f21304075b304514a08bc25c

    SHA256

    0bec56b32ff32ca5d9f52a139a32595e78797da41a641d30736b957e10833693

    SHA512

    9c0b9083e5b320b4939327307eb833d83ab5669a85b236221b050b539c767c0b2f84d74f92f7641997a0bc4a59803d5ad66cb0ad6c41d5fd376d894c9b970d1b

    Download Submit

  • C:\debug.txt
    Filesize

    183B

    MD5

    7bfdb6b128b0dc76d3e7f66fde81bf2b

    SHA1

    26ff8abd4f4808ccb132e73aa4f85e445e4019a2

    SHA256

    41963b2131cf77bae5c88ae758ab58d704edc6fa0fbc81a2d46144c17f35dcca

    SHA512

    bb01c1bffb7227b8c8a89ba09d1f30010593c79f76d2fb705b760b52f1125762bc095bc623e5e3061a6a2940d80d78cca0e1450f04bd9479e0c7257dae8840f4

    Download Submit

  • memory/2400-127-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-0-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-145-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-142-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-94-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-139-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-136-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-113-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-110-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-108-0x0000000001EE0000-0x0000000001EFC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-64-0x0000000001EE0000-0x0000000001EFC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-105-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-133-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-116-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-121-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-124-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2400-130-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2472-109-0x0000000000500000-0x000000000051C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2472-103-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2472-65-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2472-89-0x0000000000500000-0x000000000051C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2868-104-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2868-90-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download