Overview

overview

10

Static

static

3

CreditCard...er.exe

windows7-x64

10

CreditCard...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CreditCardGenChecker.exe

  • Size

    1.5MB

  • MD5

    50efa8e740357a86511b32b7f67193b0

  • SHA1

    374e00d228ed1510f8cbc07558dd714b83e43f18

  • SHA256

    54b2a237e237d0060e5d8f5ab612c0b236f5f39d07b311af99fa1e7e986ee0e9

  • SHA512

    fc258fff378ae5ac756f4068c015b2bfea0047928f42c15867836f924eb4b95c1e6c404730a5c8dfd074b3e0208994530557b7aadb03868e4dc21d243a8e9a71

  • SSDEEP

    12288:TyV3Wsxv4Til5TYyUyQc8uHgo2aYFSvRX55Lm1LsLzEg5xC4BSE9:TyxWcMoSDuAxaUSZDLmBsLzEg5xCvE9

Score
10/10
discoveryevasionpersistencetrojanvmprotect

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\CreditCardGenChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\CreditCardGenChecker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Users\Admin\AppData\Roaming\sysapp.exe
      "C:\Users\Admin\AppData\Roaming\sysapp.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch
        3⤵
        • Drops file in Drivers directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2760 -s 220
          4⤵
            PID:2868
      • C:\Users\Admin\AppData\Local\Temp\CardsChecker.exe
        "CardsChecker.exe"
        2⤵
        • UAC bypass
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2104

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CardsChecker.exe
      Filesize

      693KB

      MD5

      6f14dcfb307f4f9d9fe04c277f9e6e73

      SHA1

      c1b3cf0ee07b96678b27f546a914cd4501c11b25

      SHA256

      b1fec85f2708e55f07e6301f8ac4f61457d8b5706dc72705d89a9001ee90ca5d

      SHA512

      8ef3c25434c004c2cdf3f07e4e632b42feb180ed740d34f4b5506ee0d387b12bbf0c34ce63250f64fef62de94843ec8a20e62887db0647d06818555b39ce9d80

      Download Submit

    • C:\Users\Admin\AppData\Roaming\{90F4370F114B3207603164}\{90F4370F114B3207603164}.exe
      Filesize

      278KB

      MD5

      cfc83e7145c70e71874460c78a0e9cf4

      SHA1

      d3ec09e035916e8eceb14cd53650cc843606aae2

      SHA256

      ab97099d14bfaf3fcb3862628d710d5b6b2fa9afa30011ddcf686eb11d6ff92f

      SHA512

      b04b2809e9fff5172a356e9b0fc66c969d9ecf1fd804cf3ff002f489591b7a4e52ca7c5cc874e40fb3bed0982bcae78cc88bbfab52137a4564bdf482a4ad9eb4

      Download Submit

    • C:\Windows\System32\drivers\etc\hosts
      Filesize

      1KB

      MD5

      a59a2823cf4bb50d21773c5a03d06176

      SHA1

      2fdfcf1ad6b564184ab61c7650e121a87c8a4673

      SHA256

      76a0a6bc1f2fb9d17bb9bae437c17e84b269d6773cbff0b501dd5df70b0768e4

      SHA512

      1c6e06131aac6f93b652f5b1888a868acdeee5851185086e2597119d636b4a95d96327715e10b95f356d84f2ab5868d25161ab2d05854f229fb9417da2062696

      Download Submit

    • memory/2104-76-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2104-75-0x0000000001FD0000-0x0000000002036000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2104-74-0x0000000000AC0000-0x0000000000BC4000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2104-73-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2104-78-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2104-79-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2760-22-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2760-77-0x0000000140000000-0x000000014004C000-memory.dmp

      Filesize

      304KB

      Download