Overview

overview

8

Static

static

8

9738c7021f...46.exe

windows7_x64

8

9738c7021f...46.exe

windows10_x64

5

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-04-2021 00:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9738c7021fdded8bb03e1588d17386dc175328630ecb0f1a3d671dfc4fb18d46.exe

  • Size

    269KB

  • MD5

    ba28a06e2aae1052319541d4124122c5

  • SHA1

    20613e49ee5b14dc04c7b045900f1d0e1b4173be

  • SHA256

    9738c7021fdded8bb03e1588d17386dc175328630ecb0f1a3d671dfc4fb18d46

  • SHA512

    9aaaa26c106043d56c48f89b3dd7b84ba9bbf7951c5e82a622d0eb93169e9520643bd5cb6b49dbd1cce7f5cd776e6b62b855266c099304acd3b9faa703187f25

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\9738c7021fdded8bb03e1588d17386dc175328630ecb0f1a3d671dfc4fb18d46.exe
        "C:\Users\Admin\AppData\Local\Temp\9738c7021fdded8bb03e1588d17386dc175328630ecb0f1a3d671dfc4fb18d46.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1432
        • C:\Users\Admin\AppData\Local\Temp\9738c7021fdded8bb03e1588d17386dc175328630ecb0f1a3d671dfc4fb18d46.exe
          C:\Users\Admin\AppData\Local\Temp\9738c7021fdded8bb03e1588d17386dc175328630ecb0f1a3d671dfc4fb18d46.exe
          3⤵
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1836
          • C:\Users\Admin\AppData\Roaming\Ozub\laihk.exe
            "C:\Users\Admin\AppData\Roaming\Ozub\laihk.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1944
            • C:\Users\Admin\AppData\Roaming\Ozub\laihk.exe
              C:\Users\Admin\AppData\Roaming\Ozub\laihk.exe
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1252
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5bbc77d4.bat"
            4⤵
            • Deletes itself
            PID:396
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1228
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1140
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
          1⤵
            PID:580
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:1176

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp5bbc77d4.bat
              MD5

              39e9061cbfc98f18c43601810788fb22

              SHA1

              f8d23bbcf0859d87c649bfd6565de911bc1b8786

              SHA256

              b79e5d111742456ab8a386228c34ad74d5630a24d143f9ee3bccab2f4b4d2457

              SHA512

              72f854db78a8a58404a1ed671cc294f8cc03632592006d42e8eebd2c5848cf0bd777cb625e944f5d0ad4ac6d5b9fe627d6659a6b7e6f577e943e0925c540f561

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Ozub\laihk.exe
              MD5

              ca919ba4e8bfc88ab6328cfeb857b16e

              SHA1

              0717b627d384f8da5491901fadc366159685e342

              SHA256

              9eb27353e8d8fa3f4c980e3461713921629172aef3aa14113b7d3528774f4db1

              SHA512

              248973271cf3337718a46bb49b3461ae23a6866c7a121b007cdc958edb4d398b1fb51feebf9cff9be7a0e5e93c8e4adcf3192d6edd2ddd0832ed0f3dc953bec3

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Ozub\laihk.exe
              MD5

              ca919ba4e8bfc88ab6328cfeb857b16e

              SHA1

              0717b627d384f8da5491901fadc366159685e342

              SHA256

              9eb27353e8d8fa3f4c980e3461713921629172aef3aa14113b7d3528774f4db1

              SHA512

              248973271cf3337718a46bb49b3461ae23a6866c7a121b007cdc958edb4d398b1fb51feebf9cff9be7a0e5e93c8e4adcf3192d6edd2ddd0832ed0f3dc953bec3

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Ozub\laihk.exe
              MD5

              ca919ba4e8bfc88ab6328cfeb857b16e

              SHA1

              0717b627d384f8da5491901fadc366159685e342

              SHA256

              9eb27353e8d8fa3f4c980e3461713921629172aef3aa14113b7d3528774f4db1

              SHA512

              248973271cf3337718a46bb49b3461ae23a6866c7a121b007cdc958edb4d398b1fb51feebf9cff9be7a0e5e93c8e4adcf3192d6edd2ddd0832ed0f3dc953bec3

              Download Submit
            • \Users\Admin\AppData\Roaming\Ozub\laihk.exe
              MD5

              ca919ba4e8bfc88ab6328cfeb857b16e

              SHA1

              0717b627d384f8da5491901fadc366159685e342

              SHA256

              9eb27353e8d8fa3f4c980e3461713921629172aef3aa14113b7d3528774f4db1

              SHA512

              248973271cf3337718a46bb49b3461ae23a6866c7a121b007cdc958edb4d398b1fb51feebf9cff9be7a0e5e93c8e4adcf3192d6edd2ddd0832ed0f3dc953bec3

              Download Submit
            • \Users\Admin\AppData\Roaming\Ozub\laihk.exe
              MD5

              ca919ba4e8bfc88ab6328cfeb857b16e

              SHA1

              0717b627d384f8da5491901fadc366159685e342

              SHA256

              9eb27353e8d8fa3f4c980e3461713921629172aef3aa14113b7d3528774f4db1

              SHA512

              248973271cf3337718a46bb49b3461ae23a6866c7a121b007cdc958edb4d398b1fb51feebf9cff9be7a0e5e93c8e4adcf3192d6edd2ddd0832ed0f3dc953bec3

              Download Submit
            • memory/396-17-0x0000000000000000-mapping.dmp
              Download
            • memory/396-19-0x00000000001D0000-0x00000000001F7000-memory.dmp
              Filesize

              156KB

              Download
            • memory/1176-22-0x000007FEF74A0000-0x000007FEF771A000-memory.dmp
              Filesize

              2.5MB

              Download
            • memory/1252-14-0x000000000041D522-mapping.dmp
              Download
            • memory/1432-2-0x00000000001B0000-0x00000000001B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1836-4-0x000000000041D522-mapping.dmp
              Download
            • memory/1836-6-0x0000000000400000-0x0000000000427000-memory.dmp
              Filesize

              156KB

              Download
            • memory/1836-18-0x0000000002150000-0x0000000002177000-memory.dmp
              Filesize

              156KB

              Download
            • memory/1836-5-0x0000000075BF1000-0x0000000075BF3000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1836-3-0x0000000000400000-0x0000000000427000-memory.dmp
              Filesize

              156KB

              Download
            • memory/1944-11-0x0000000000220000-0x0000000000221000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1944-9-0x0000000000000000-mapping.dmp
              Download