Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
DevxExecutor.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DevxExecutor.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
DevxExecutor.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
DevxExecutor.exe
Resource
win11-20240426-en
General
-
Target
DevxExecutor.exe
-
Size
44.1MB
-
MD5
e4897ef7419e128b1f7473119ce0bd07
-
SHA1
5aad252412a5923438f30cb9c397731a9b020121
-
SHA256
6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581
-
SHA512
db66ea2cb3f5f30934ab071e1dd2e7b41f6dc5c4be125f1d2d6aab627b3be8b6cf8fcbed517a414cdf037a068414b178176edba2e28de6419b65269e0abb162c
-
SSDEEP
786432:NCZkrrfdktmLX8t8lBBvUPlZIOPuOI64zlNWtVMoOIsuXzfVib4a9BWN:N4GlkcLMtUzilKUINzmtVkMfWo
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 2964 cstealer.exe 2544 cstealer.exe 2636 main.exe 2680 main.exe 1084 Process not Found -
Loads dropped DLL 9 IoCs
pid Process 1712 DevxExecutor.exe 2964 cstealer.exe 2544 cstealer.exe 1712 DevxExecutor.exe 2636 main.exe 2680 main.exe 1084 Process not Found 1084 Process not Found 1084 Process not Found -
resource yara_rule behavioral1/files/0x0006000000016d20-55.dat upx behavioral1/memory/2680-57-0x000007FEF02B0000-0x000007FEF0898000-memory.dmp upx -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral1/files/0x000b0000000143e5-5.dat pyinstaller behavioral1/files/0x000600000001630a-39.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2680 main.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2964 1712 DevxExecutor.exe 28 PID 1712 wrote to memory of 2964 1712 DevxExecutor.exe 28 PID 1712 wrote to memory of 2964 1712 DevxExecutor.exe 28 PID 2964 wrote to memory of 2544 2964 cstealer.exe 29 PID 2964 wrote to memory of 2544 2964 cstealer.exe 29 PID 2964 wrote to memory of 2544 2964 cstealer.exe 29 PID 1712 wrote to memory of 2636 1712 DevxExecutor.exe 30 PID 1712 wrote to memory of 2636 1712 DevxExecutor.exe 30 PID 1712 wrote to memory of 2636 1712 DevxExecutor.exe 30 PID 2636 wrote to memory of 2680 2636 main.exe 31 PID 2636 wrote to memory of 2680 2636 main.exe 31 PID 2636 wrote to memory of 2680 2636 main.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\DevxExecutor.exe"C:\Users\Admin\AppData\Local\Temp\DevxExecutor.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544
-
-
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5bb46b85029b543b70276ad8e4c238799
SHA1123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c
SHA25672c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0
SHA5125e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31
-
Filesize
5.5MB
MD59a24c8c35e4ac4b1597124c1dcbebe0f
SHA1f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA5129d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b
-
Filesize
36.0MB
MD51ee0837eedf03e82aa652b1bf157387f
SHA19f67248352c6eb3ff5c6c4d5eb05a55eff499cd8
SHA256545f339c71cac4b4eb0440fed022a51032c208ee1d5cdef050d97b37adf8de4a
SHA5128bd47bd3ef1f622029cb6ecec02eac62c45f6d788d813eca80c275a4fb4cc35a1c25f869b66551fe57099500587cebc135cbcda0e7a43e70fceb3762185b0c5a
-
Filesize
8.5MB
MD5bc2b7de582fb94f0c44855d8fab8c236
SHA162e1cfd2d999025930a3dacf6bf71b8f9d166c2b
SHA2562481caeaa2b5db3c040aab3054fcd0bfd42637a4000c4b676215459d38ca4c3c
SHA5125cfa22eac5eec79c4f479a3bc54ed31f0a1943ac598954ad05b2f3e6d63ec7abdf496f8926446c08d44685ddcb338018a14fe9d5167dcc16b752d49b661704e9