Overview

overview

7

Static

static

3

Bypass-Too...l2.exe

windows7-x64

7

Bypass-Too...l2.exe

windows10-2004-x64

7

Bypass-Too...02.exe

windows7-x64

3

Bypass-Too...02.exe

windows10-2004-x64

3

Bypass-Tools/U952.exe

windows7-x64

7

Bypass-Tools/U952.exe

windows10-2004-x64

3

Bypass-Too...p2.exe

windows7-x64

3

Bypass-Too...p2.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bypass-Tools/CGWebInstall2.exe

  • Size

    730KB

  • MD5

    bd11d302a86fa12e2032621554326bd0

  • SHA1

    be4a4d74b3b5316e46ef6d813031ca99c2c12b49

  • SHA256

    9894d651b7700ffd0992c0a310cfb867b84d32d644574f6571ea540d189a088d

  • SHA512

    59c0243cf2577c13ea3467e6e421a3f174c6f16623d125f69a608ad7d54977e57b471b31cbe7a79ba5c13f0296064bc172a9da41fe9379f977112fcc219cd400

  • SSDEEP

    12288:ONYr78QV1q6XEHjxa84YQ65FQLcCxB2FgUBVDZbU4xC78P:O64blYEQwuKBVDZgr78P

Score
7/10
spywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bypass-Tools\CGWebInstall2.exe
    "C:\Users\Admin\AppData\Local\Temp\Bypass-Tools\CGWebInstall2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Users\Admin\AppData\Local\Temp\CGWebInstall.exe
      "C:\Users\Admin\AppData\Local\Temp\CGWebInstall.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CGWebInstall.exe
    Filesize

    705KB

    MD5

    57c469f23b012eab249174b0aefb7bac

    SHA1

    f2d0dcb04b1011849e08b9a1aa897503ccb22d08

    SHA256

    19bb1a05791ee90485a12918e2e763bd10fda86425694ce42ca1c0c25bf51847

    SHA512

    ee33c6e12ae4f9e20c22933759aaf0bdc0d67777cda4ff65931df0b72eddf7b4dd572d7248eb2d7420a2fdd6ec5857fc3513aaec9e85519235eb7475e0fd6b26

    Download Submit
  • memory/2060-6-0x00000000028D0000-0x0000000002AB8000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2924-13-0x0000000000AE0000-0x0000000000CC8000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2924-12-0x0000000000AE0000-0x0000000000CC8000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2924-11-0x0000000000400000-0x00000000005E8000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2924-14-0x0000000000400000-0x00000000005E8000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2924-16-0x0000000000AE0000-0x0000000000CC8000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2924-17-0x0000000000AE0000-0x0000000000CC8000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2924-19-0x0000000000400000-0x00000000005E8000-memory.dmp
    Filesize

    1.9MB

    Download