Overview

overview

9

Static

static

ca1b39bc4f...dc.exe

windows7-x64

9

ca1b39bc4f...dc.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    35s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2022 23:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe

  • Size

    21KB

  • MD5

    3cb33cb9ba35db393157f0cbd507d20a

  • SHA1

    3fa313f05d6bc4e0c147ad066a1d643bc540e4cf

  • SHA256

    ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc

  • SHA512

    99654d6f586568619d54427407f38b71f2602258f730cf107ddb9c4051b19b7e044880676a2824508013f2531028a2b02c9bb17076b309913a60e8388aa39791

  • SSDEEP

    384:Ihr3k1JShXqN7oG5SPnm6HITRDt7Svy0aGaBYxQo3G90SZ54Uf:Mr010hXqkITJt7YynXIS0SX

Score
9/10
persistenceupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 5 IoCs

    Detects file using ACProtect software.

  • Blocklisted process makes network request 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe
    "C:\Users\Admin\AppData\Local\Temp\ca1b39bc4fa67d8b088d2d95c7bd05dd36044a92f8c4f675cb6981de8a2b83dc.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 "C:\Program Files (x86)\captcha7.dll",captcha
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      PID:1536
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\captcha.bat
      2⤵
      • Deletes itself
      PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\captcha7.dll
    Filesize

    16KB

    MD5

    03777cde0dac045bad579e77195d0090

    SHA1

    4c6fc63b72caafb7fa7cbe0207247f53b4e789dd

    SHA256

    b74b8fc8c1fdfb909a3407069d6cf2f3218749d9965ba33b3f48e8252b62c4d8

    SHA512

    c45c2067800372e195e7e4f29ada6953c45de68b22c488c6fe28225f6098cb8f1b95008e69185519a79175e160d0ebe79d084819fd37581b2491ae12aeb2db2c

    Download Submit
  • \??\c:\captcha.bat
    Filesize

    268B

    MD5

    8a66043d2425dc4ed7ed8e84e908e535

    SHA1

    89a8700b681e572689fb9026383dfc0fa72c6970

    SHA256

    c00b13e8333de21ffbb95289465fa181d4960a2581d1ff04f7f4deac9459acb3

    SHA512

    096b7a83e64128c87cfcce6b3f4cdd00db5496eb53e26554bc3115c50011922266c5a1169a3bfff90279de87aa0d72f415ca3a0d50b355d3f01945dfc84b99c7

    Download Submit
  • \Program Files (x86)\captcha7.dll
    Filesize

    16KB

    MD5

    03777cde0dac045bad579e77195d0090

    SHA1

    4c6fc63b72caafb7fa7cbe0207247f53b4e789dd

    SHA256

    b74b8fc8c1fdfb909a3407069d6cf2f3218749d9965ba33b3f48e8252b62c4d8

    SHA512

    c45c2067800372e195e7e4f29ada6953c45de68b22c488c6fe28225f6098cb8f1b95008e69185519a79175e160d0ebe79d084819fd37581b2491ae12aeb2db2c

    Download Submit
  • \Program Files (x86)\captcha7.dll
    Filesize

    16KB

    MD5

    03777cde0dac045bad579e77195d0090

    SHA1

    4c6fc63b72caafb7fa7cbe0207247f53b4e789dd

    SHA256

    b74b8fc8c1fdfb909a3407069d6cf2f3218749d9965ba33b3f48e8252b62c4d8

    SHA512

    c45c2067800372e195e7e4f29ada6953c45de68b22c488c6fe28225f6098cb8f1b95008e69185519a79175e160d0ebe79d084819fd37581b2491ae12aeb2db2c

    Download Submit
  • \Program Files (x86)\captcha7.dll
    Filesize

    16KB

    MD5

    03777cde0dac045bad579e77195d0090

    SHA1

    4c6fc63b72caafb7fa7cbe0207247f53b4e789dd

    SHA256

    b74b8fc8c1fdfb909a3407069d6cf2f3218749d9965ba33b3f48e8252b62c4d8

    SHA512

    c45c2067800372e195e7e4f29ada6953c45de68b22c488c6fe28225f6098cb8f1b95008e69185519a79175e160d0ebe79d084819fd37581b2491ae12aeb2db2c

    Download Submit
  • \Program Files (x86)\captcha7.dll
    Filesize

    16KB

    MD5

    03777cde0dac045bad579e77195d0090

    SHA1

    4c6fc63b72caafb7fa7cbe0207247f53b4e789dd

    SHA256

    b74b8fc8c1fdfb909a3407069d6cf2f3218749d9965ba33b3f48e8252b62c4d8

    SHA512

    c45c2067800372e195e7e4f29ada6953c45de68b22c488c6fe28225f6098cb8f1b95008e69185519a79175e160d0ebe79d084819fd37581b2491ae12aeb2db2c

    Download Submit
  • memory/1324-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1388-54-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1536-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1536-57-0x00000000768A1000-0x00000000768A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1536-64-0x0000000010000000-0x000000001000F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1536-65-0x0000000010000000-0x000000001000F000-memory.dmp
    Filesize

    60KB

    Download