Analysis
-
max time kernel
94s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
29-09-2024 19:11
General
-
Target
hack.exe
-
Size
4.9MB
-
MD5
a2665470d5074af084fbdac73abfce51
-
SHA1
d418ee23ac16427dd57448fcd37d9debeccec19c
-
SHA256
6b22ce132aec60bab2b31938e7e82d404bd92b91951adbc917ac370d4c20ec64
-
SHA512
7f9affe51ed17bcd2bcd02e1af31ba187cae5709447b1db0da54b6acba60fbcf54fba9dd554ac3322919a8da3cd250ff55840ce22aad4f5b7a2af991869e4a9e
-
SSDEEP
98304:vzIIYKj7uCz+msMeZB4dj44HjhDYlcFKL2tWAbPcvNZVc1Cq+:UIYKfkMeZBcphDbFKitW6U1ZVc4q
Malware Config
Signatures
-
Panda Stealer payload 1 IoCs
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Kills process with taskkill 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\hack.exe"C:\Users\Admin\AppData\Local\Temp\hack.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM CompPkgSup.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CompPkgSup.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\ComponentUpdater3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeATTRIB +h +s C:\ProgramData\ComponentUpdater4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\ComponentUpdater\CompPkgSup.exe3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeATTRIB +h +s C:\ProgramData\ComponentUpdater\CompPkgSup.exe4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "PackagesSupport" /tr "C:\ProgramData\ComponentUpdater\CompPkgSup.exe" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "PackagesSupport" /d "C:\ProgramData\ComponentUpdater\CompPkgSup.exe" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "PackagesSupport" /d "C:\ProgramData\ComponentUpdater\CompPkgSup.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\1473005173_MT (3).exe"C:\Users\Admin\AppData\Local\Temp\1473005173_MT (3).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\ComponentUpdater\CompPkgSup.exeC:\ProgramData\ComponentUpdater\CompPkgSup.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
3.2MB
MD500f76520eafd1597c1ca4cfb5a7b8f35
SHA1323bcd00861a5f865c2b2aa89950327a0186bf86
SHA256ca97871ad8cb0750208ba9841c379eb9a400d0268e81324a4be8675f5dd57450
SHA5123d0881292f041e409301fc676f97833f9687c472b6986557ad33504941766de735909635878bb62bcfcc575aa819b7ea00fc6dcb02e6f319481da8a62a024dce
-
C:\Users\Admin\AppData\Local\Temp\1473005173_MT (3).exeFilesize
681KB
MD5c649103edd7f794a9898900bb62feb6f
SHA1b3d4806569b0ba667e9841d123c99605be33c953
SHA2569426c2d9763ec31b64650702144bb2e3fa157cc7ad473ac819fc031969ad32a9
SHA5120b3e789911313f466cc4403c74b9fc2142c02f876a2825dca9791c3f028cff6b497bfc2108ce69bf3f8508e03941b441a6987a04f5638204f5eee266bf60a8f3
-
memory/2924-63-0x00000000004E0000-0x000000000099B000-memory.dmpFilesize
4.7MB
-
memory/4504-0-0x0000000000400000-0x0000000000B0E000-memory.dmpFilesize
7.1MB
-
memory/4504-1-0x0000000076EE4000-0x0000000076EE6000-memory.dmpFilesize
8KB
-
memory/4504-2-0x0000000000401000-0x0000000000402000-memory.dmpFilesize
4KB
-
memory/4504-3-0x0000000000400000-0x0000000000B0E000-memory.dmpFilesize
7.1MB
-
memory/4504-4-0x0000000000400000-0x0000000000B0E000-memory.dmpFilesize
7.1MB
-
memory/4504-28-0x0000000000400000-0x0000000000B0E000-memory.dmpFilesize
7.1MB
-
memory/4804-29-0x0000000000B50000-0x000000000100B000-memory.dmpFilesize
4.7MB