Overview

overview

7

Static

static

3

77dc98684b...68.exe

windows7-x64

7

77dc98684b...68.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 16:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    77dc98684b3008d241b547e052309268.exe

  • Size

    8.0MB

  • MD5

    77dc98684b3008d241b547e052309268

  • SHA1

    50c1adb5e3cf4e9633f8c09129fc3aa1d1c74142

  • SHA256

    b3370e95b5162ab3158e5906e9488fd74612f6fcfe21927be78ffc7ed29e9339

  • SHA512

    629298de87c0d22f1da55266cc88b1a6cf98f55608c34e1452605b3dc905bd667ebe04451e5adc29003d9f8f73d632fd649f3fa46f5fc4042c0574e78086d956

  • SSDEEP

    98304:LaHed/kmNPklN4P6teMPlswOB9jYkRcXqwOJUqIJ9aAaaH2bwEYLNzj4ywfwjvYP:LPdMjshaqwqU7J3RWcEYL94ywfpdlj

Score
7/10
discoveryspywarestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77dc98684b3008d241b547e052309268.exe
    "C:\Users\Admin\AppData\Local\Temp\77dc98684b3008d241b547e052309268.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Users\Admin\AppData\Local\Temp\Microsoft Runtime Broker.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft Runtime Broker.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LlxEa6Y2Ba.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4800
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4688
          • C:\Users\Admin\AppData\Local\RuntimeBroker.exe
            "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2620
      • C:\Users\Admin\AppData\Local\Temp\BOT Òðàìâàé by bahajostkiy.exe
        "C:\Users\Admin\AppData\Local\Temp\BOT Òðàìâàé by bahajostkiy.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Users\Admin\AppData\Local\Temp\BotTTU.exe
          "C:\Users\Admin\AppData\Local\Temp\BotTTU.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2596

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\BOT Òðàìâàé by bahajostkiy.exe
            Filesize

            4.4MB

            MD5

            c4d9d7edd6eaf6f00085ffad2a39dbf3

            SHA1

            008097accf5ed53381ab449ae6cd29c23a0b6734

            SHA256

            edbb206c8baa790d7c94c6ffa0f3652959e60f64df5312af67bb127df2eb24d4

            SHA512

            b60d4b4128ab128cc509dedd311f58b680dd40234bfa00bd5ce1b6078355cb9a6d2452fdaca8e8a564c8e3579f6926043df0de2e345bcc42c34d02b5ac839d19

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\BotTTU.exe
            Filesize

            8.5MB

            MD5

            fac67e0a7536b70859e5e9793d5430d0

            SHA1

            b8e97eaabe7aaba3a9b52e6e32d241eebc0bb041

            SHA256

            72fd53349d9790fe6479dfa23815955c39a79914fc45dab51a8cbefea90fc7ad

            SHA512

            1a457243a63d31791d557d393e32e60a1455d59a0a4b80ab3b0bc5115655c925891c590f58f0ef6931b5e5c4690d94d9e9afe44b4a2179f45065596badf8d961

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\LlxEa6Y2Ba.bat
            Filesize

            174B

            MD5

            085da2ba1d141f9a614632057e1c110e

            SHA1

            58cd6e6041713966fb882d5dfdd60d9f8251bac6

            SHA256

            c7d1d1db66419d5b1f29c5d6cb3eeee0bce11320a5912f758afd8d93af977496

            SHA512

            bee6e83327fb2d5f4c680fc89f6c062fe43ed4c04452b970e553ea366581600eb5a0039a2c1f30e3011b3bceea22f83956f1a4bb383cc6bcbb4a5fd0f0f0172e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MSVCR71.dll
            Filesize

            164KB

            MD5

            5776a4ef7f492636c052ae64b35bf4ce

            SHA1

            33f56f902e20ed138baa351f7446bf40abdd62c9

            SHA256

            42ded6072e28ed5394b0a832a0559b8e618490764f2490dbedcf7e5479537573

            SHA512

            829e286fd303577c2c6352c6279b084055f2bb772650f7b26d4b0a1c7c0185385ed8bde855fcc598c09ccd79ed92fcbf47537c7ea09786fddb6005dee3b9ae6d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Microsoft Runtime Broker.exe
            Filesize

            3.5MB

            MD5

            c09d8420743f1e346c3babd5da1eecc2

            SHA1

            e3e6723fb7fc19d4f8c37e288abfe4b27895b823

            SHA256

            ed1b171e8620d55ec06ae707fc82aa11d9e1d5200574a206bfb9aaadb8aff63f

            SHA512

            5196c59b69995baddac66738aa421b2a6acf3654831fcc9f65ac860eff8c93ee2665e8aabbf0dfc2428d5d879d38eca9cab0b65230f286890e3dcb8c130b50da

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\PSE11\php\modules\php_bcompiler.dll
            Filesize

            46KB

            MD5

            a44bca08e8ed65e636f8b68960b8d7ea

            SHA1

            1803024e3e62f51d474e832b67d2d8ec167b96de

            SHA256

            26bb0541924fd7f96c22df5b4f7b8cabd88ea440dd19ddefb4e2754f17eb0df4

            SHA512

            c83a5c4b5f38767e74b67b81f83635459e9165e4bc6574c53e77e57cfb1107aa435172375e8eee44e7fce2b50ec8f108dc8d609bad332798740de7cb6cf51e4c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\PSE11\php\modules\php_bz2.dll
            Filesize

            68KB

            MD5

            2f8bc6c1741bc86ee012f444c56d192e

            SHA1

            c4840d4d39dd8fafe4248ab96082860a0db02f6f

            SHA256

            ec6f6310e3a08ad80ea159c336e93cc024dae223a5bd4b08ae2e0351941aec07

            SHA512

            6a8e415f5d14f56a29541d50f7277f66222f4f1374fdb1f1892ce51dbc29e5ef766552518a2c78b8ae0bb5820b6eb3330b2dc9595f80b78ef6131de069a8c76e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\PSE11\php\php5ts.dll
            Filesize

            4.6MB

            MD5

            5483bd2f68e4be087be99e938c4de8fc

            SHA1

            e5e56d93b69197f11f87d8dd3e84a9697b4ced29

            SHA256

            e452640009a12c3a666a425515953ebd3ca29a9064ed616671d722d31f9d2dfd

            SHA512

            3619d7f95d48c0840439d59a81bf3e6050f445e0158527aa24d98702f5cd6a67298947e999d23cfba80b0d279afae81eddc75d24a455bc484f7b3586482b2bb2

            Download Submit

          • memory/1768-80-0x000000001C2C0000-0x000000001C2D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1768-99-0x000000001C2E0000-0x000000001C2F6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1768-46-0x000000001C1A0000-0x000000001C1BC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1768-48-0x000000001C250000-0x000000001C2A0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/1768-50-0x000000001BF70000-0x000000001BF80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1768-52-0x000000001C220000-0x000000001C238000-memory.dmp

            Filesize

            96KB

            Download

          • memory/1768-54-0x000000001BF80000-0x000000001BF90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1768-39-0x000000001C1D0000-0x000000001C1F6000-memory.dmp

            Filesize

            152KB

            Download

          • memory/1768-131-0x00007FFF95E20000-0x00007FFF968E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1768-60-0x000000001C1C0000-0x000000001C1D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1768-62-0x000000001C200000-0x000000001C20E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1768-23-0x00007FFF95E20000-0x00007FFF968E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1768-22-0x00007FFF95E20000-0x00007FFF968E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1768-15-0x00007FFF95E23000-0x00007FFF95E25000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1768-129-0x000000001C400000-0x000000001C44E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/1768-121-0x000000001C450000-0x000000001C49E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/1768-119-0x000000001C3E0000-0x000000001C3F8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/1768-14-0x0000000000FE0000-0x0000000001368000-memory.dmp

            Filesize

            3.5MB

            Download

          • memory/1768-92-0x000000001C210000-0x000000001C220000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1768-43-0x000000001BF20000-0x000000001BF2E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1768-101-0x000000001C300000-0x000000001C312000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1768-102-0x000000001C850000-0x000000001CD78000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/1768-104-0x000000001C240000-0x000000001C24E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1768-106-0x000000001C2A0000-0x000000001C2B0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1768-109-0x000000001C2B0000-0x000000001C2C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1768-111-0x000000001C380000-0x000000001C3DA000-memory.dmp

            Filesize

            360KB

            Download

          • memory/1768-113-0x000000001C320000-0x000000001C32E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1768-115-0x000000001C330000-0x000000001C340000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1768-117-0x000000001C340000-0x000000001C34E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2596-67-0x00000000025F0000-0x00000000025FF000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2596-72-0x000000007C360000-0x000000007C3C0000-memory.dmp

            Filesize

            384KB

            Download

          • memory/2596-76-0x0000000002600000-0x0000000002611000-memory.dmp

            Filesize

            68KB

            Download

          • memory/2596-57-0x0000000010000000-0x00000000104DC000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/2596-134-0x000000007C360000-0x000000007C3C0000-memory.dmp

            Filesize

            384KB

            Download

          • memory/2596-132-0x0000000000400000-0x00000000005C0000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2596-165-0x0000000000400000-0x00000000005C0000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2620-161-0x000000001F540000-0x000000001F58E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/4676-20-0x0000000000400000-0x0000000000BFB000-memory.dmp

            Filesize

            8.0MB

            Download