Overview

overview

7

Static

static

3

3f8396d2c7...0N.exe

windows7-x64

7

3f8396d2c7...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 05:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f8396d2c7d79395e8ce530630ad00a0N.exe

  • Size

    144KB

  • MD5

    3f8396d2c7d79395e8ce530630ad00a0

  • SHA1

    a4d292f4961dd3b51c4ed8ba9e5c62cef808c1e5

  • SHA256

    28ba6f68ff20284b9b819bdc35742114bfa9a6862f12c073e41dbcc2b8a69855

  • SHA512

    58f119972d922a80750ab098110e077b580dd744ebba178ffc5a03db1b0ecc21663fc9ea84e16805dad6fd3156258540574abd130e0598fdd9fe988317ddeffc

  • SSDEEP

    3072:ZhpAyazIlyazTye5RpnltHWMoyFIKZeEfIDbmaxJfyFS:hZMazGeV2MEKQWbmfyQ

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f8396d2c7d79395e8ce530630ad00a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\3f8396d2c7d79395e8ce530630ad00a0N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\pG0mIVdKEiC55cQ.exe
      C:\Users\Admin\AppData\Local\Temp\pG0mIVdKEiC55cQ.exe
      2⤵
      • Executes dropped EXE
      PID:2280
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\CTS.exe
    Filesize

    71KB

    MD5

    66df4ffab62e674af2e75b163563fc0b

    SHA1

    dec8a197312e41eeb3cfef01cb2a443f0205cd6e

    SHA256

    075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

    SHA512

    1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

    Download Submit

  • \Users\Admin\AppData\Local\Temp\pG0mIVdKEiC55cQ.exe
    Filesize

    73KB

    MD5

    d2778164ef643ba8f44cc202ec7ef157

    SHA1

    31eee7114eed6b0d2fb77c9f3605057639050786

    SHA256

    28b001bb9a72ae7a24242bfab248d767a1ac5dec981c672a3944f7a072375e9a

    SHA512

    cb2a5a2aeba9d6f6bfc4a3a4576961244c109aafb59f02134b03ebac4d16602ee7f141cc4adc519f15030c20e7e7d6585778870706b2ea4c74c1161729101635

    Download Submit