Overview

overview

10

Static

static

8

1cb37e9529...76.exe

windows7-x64

10

1cb37e9529...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2022, 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1cb37e9529dece1b6b9ec2dd9843c4b22ade64e6821e693ca64bd1ac244afe76.exe

  • Size

    108KB

  • MD5

    6cfcfbdbcf2adcdbfcf9bafdee8536ca

  • SHA1

    b114ffc44a3828f5f0aee94891629e93d0d8f00b

  • SHA256

    1cb37e9529dece1b6b9ec2dd9843c4b22ade64e6821e693ca64bd1ac244afe76

  • SHA512

    70843f307997a2f855c319f573fd729cd4f4a3cd143a775a581d3951fbbeb3d1b94bf65cf45094ab044ebec47f0f648fbe152379f49c5e39cfb3fb052edd0c8b

  • SSDEEP

    768:ph/8nQpfDPUhh67zOizfdtCHKgS2hDx7wdkw7bzfzAL65nuplpnQzTGf3g4D3emg:ppEQlDcH0LLdtibSUWd77OTQEgJ54va

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 4 IoCs
  • Kills process with taskkill 46 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cb37e9529dece1b6b9ec2dd9843c4b22ade64e6821e693ca64bd1ac244afe76.exe
    "C:\Users\Admin\AppData\Local\Temp\1cb37e9529dece1b6b9ec2dd9843c4b22ade64e6821e693ca64bd1ac244afe76.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:224
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im firefox.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Windows\lsass.exe
      C:\Windows\lsass.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3320
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3416
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1352
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3128
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:856
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4708
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1844
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4740
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2088
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4852
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1492
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2012
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4544
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4536
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1644
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:484
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3464
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1308
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4632
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4728
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4700
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4564
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5032
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4052
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2600
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3604
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4804
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2716
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3824
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4276
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1880
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4800
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1728
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3712
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3120
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1664
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4184
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2420
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4660
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4648
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1372
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4908
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4032
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4040
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im hijackthis.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\lsass.exe
    Filesize

    108KB

    MD5

    6cfcfbdbcf2adcdbfcf9bafdee8536ca

    SHA1

    b114ffc44a3828f5f0aee94891629e93d0d8f00b

    SHA256

    1cb37e9529dece1b6b9ec2dd9843c4b22ade64e6821e693ca64bd1ac244afe76

    SHA512

    70843f307997a2f855c319f573fd729cd4f4a3cd143a775a581d3951fbbeb3d1b94bf65cf45094ab044ebec47f0f648fbe152379f49c5e39cfb3fb052edd0c8b

    Download Submit

  • C:\Windows\lsass.exe
    Filesize

    108KB

    MD5

    6cfcfbdbcf2adcdbfcf9bafdee8536ca

    SHA1

    b114ffc44a3828f5f0aee94891629e93d0d8f00b

    SHA256

    1cb37e9529dece1b6b9ec2dd9843c4b22ade64e6821e693ca64bd1ac244afe76

    SHA512

    70843f307997a2f855c319f573fd729cd4f4a3cd143a775a581d3951fbbeb3d1b94bf65cf45094ab044ebec47f0f648fbe152379f49c5e39cfb3fb052edd0c8b

    Download Submit

  • memory/224-132-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/224-145-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/224-149-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/3320-144-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download