Overview

overview

7

Static

static

7

1e4fc6c25d...c0.exe

windows7-x64

7

1e4fc6c25d...c0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 01:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1e4fc6c25de9386ce79d587b052724c0.exe

  • Size

    421KB

  • MD5

    1e4fc6c25de9386ce79d587b052724c0

  • SHA1

    740cb7b7d01d87179f54dc89463ef206bff647d8

  • SHA256

    4e748603387fac40c0477da3bcd56f8f7c28950143c6055aa6315f51fdb3e317

  • SHA512

    2116b4f539a9927d17581858f60051906b4867d81de492a942e874292d8391508343f7a06a5b2e37d9463188095770de30d15dfb8467ab383f0b597615aa9527

  • SSDEEP

    12288:A8EQoSMy+Hi3zi5f1IRAjwsThxvskYwqSqo:A8n+D7ThWkYTSqo

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e4fc6c25de9386ce79d587b052724c0.exe
    "C:\Users\Admin\AppData\Local\Temp\1e4fc6c25de9386ce79d587b052724c0.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Users\Admin\AppData\Local\Temp\1e4fc6c25de9386ce79d587b052724c0.exe
      "C:\Users\Admin\AppData\Local\Temp\1e4fc6c25de9386ce79d587b052724c0.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Users\Admin\AppData\Local\Temp\1e4fc6c25de9386ce79d587b052724c0.exe
        "C:\Users\Admin\AppData\Local\Temp\1e4fc6c25de9386ce79d587b052724c0.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2412
    • C:\Users\Admin\AppData\Local\Temp\1e4fc6c25de9386ce79d587b052724c0.exe
      "C:\Users\Admin\AppData\Local\Temp\1e4fc6c25de9386ce79d587b052724c0.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2544

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Windows Sidebar\Shared Gadgets\sperm hot (!) granny .avi.exe
          Filesize

          517KB

          MD5

          102fb075706897e1397890f73c0a57ca

          SHA1

          8555d4a1aa75ecbddf9b95ccfa41adcdc8904f4c

          SHA256

          6d3b676c7cf49895fd9e1717045f01e7f93e81b7cdbee4281784daf659522780

          SHA512

          cd888a1d77c9a92676514d8b91f13705052ef5f274219ec7ef0d4d61fd975a914114611837cd78358297131162142470896bd246c8276054bd0537ad6da0d50b

          Download Submit

        • C:\debug.txt
          Filesize

          183B

          MD5

          aa6fde296dfa880fca46243ac744e83a

          SHA1

          fa1ce8605faf1aa18ad6f8e0a826b3f2c9069c93

          SHA256

          da1e8c6ea9c4a58b9d7c40980903b0c71c024d66281c13cf838cb4b32ee8bac4

          SHA512

          aeae4828d75842d9a234c5b3768360b6dfcb9d610e1c6a5cc4b2d19ec4eadd9bdaab990b17d676c16daa11e456f8863cdb1519f0a22be87430303132f85d33ac

          Download Submit

        • memory/1336-92-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-102-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-154-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-150-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-82-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-146-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-97-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-142-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-91-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-93-0x00000000049E0000-0x00000000049FC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-138-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-134-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-124-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-17-0x00000000049E0000-0x00000000049FC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-116-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-120-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-0-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1336-128-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2412-52-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2412-90-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2500-88-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2500-51-0x0000000004900000-0x000000000491C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2544-89-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2544-50-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download