Overview

overview

8

Static

static

8f1ccc02e9...ba.exe

windows7-x64

8

8f1ccc02e9...ba.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    186s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f1ccc02e99adc67b76a316c35aa86d1f52ffc2347b719d00faed8e80b9268ba.exe

  • Size

    178KB

  • MD5

    4a05f5a287555306a426e091d5fdf770

  • SHA1

    3fab28a236c180d071f054d2ac183ef59ec243c4

  • SHA256

    8f1ccc02e99adc67b76a316c35aa86d1f52ffc2347b719d00faed8e80b9268ba

  • SHA512

    586500a7d432315ad3d0ad67c9be4334a5e9d6d2312025762b9c88748d112b6667f13c1f9d4662c18792778381f2faf7a7fcfe594605fc3c8901e8cfda86c9a5

  • SSDEEP

    3072:Kw1ucErj94+cpbr5aHNSb34Qpc06482+p4TtM0y13KUwbt:GnIbrUHU9cT4lwMM0ywUwbt

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f1ccc02e99adc67b76a316c35aa86d1f52ffc2347b719d00faed8e80b9268ba.exe
    "C:\Users\Admin\AppData\Local\Temp\8f1ccc02e99adc67b76a316c35aa86d1f52ffc2347b719d00faed8e80b9268ba.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\8f1ccc02e99adc67b76a316c35aa86d1f52ffc2347b719d00faed8e80b9268ba.exe
      "C:\Users\Admin\AppData\Local\Temp\8f1ccc02e99adc67b76a316c35aa86d1f52ffc2347b719d00faed8e80b9268ba.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /t REG_SZ /f /v load /d "C:\Users\Admin\AppData\Local\Temp\msnat2c2f1cef.exe"
        3⤵
          PID:752
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /t REG_SZ /f /v msnat795f37ef /d "C:\Users\Admin\AppData\Local\Temp\msnat2c2f1cef.exe"
          3⤵
          • Adds Run key to start application
          PID:468
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          3⤵
          • Deletes itself
          PID:764
    • C:\Windows\SysWOW64\msnat6dcf756f.exe
      C:\Windows\SysWOW64\msnat6dcf756f.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Windows\SysWOW64\msnat6dcf756f.exe
        C:\Windows\SysWOW64\msnat6dcf756f.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          3⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:992

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\msnat6dcf756f.exe
      Filesize

      178KB

      MD5

      4a05f5a287555306a426e091d5fdf770

      SHA1

      3fab28a236c180d071f054d2ac183ef59ec243c4

      SHA256

      8f1ccc02e99adc67b76a316c35aa86d1f52ffc2347b719d00faed8e80b9268ba

      SHA512

      586500a7d432315ad3d0ad67c9be4334a5e9d6d2312025762b9c88748d112b6667f13c1f9d4662c18792778381f2faf7a7fcfe594605fc3c8901e8cfda86c9a5

      Download Submit

    • C:\Windows\SysWOW64\msnat6dcf756f.exe
      Filesize

      178KB

      MD5

      4a05f5a287555306a426e091d5fdf770

      SHA1

      3fab28a236c180d071f054d2ac183ef59ec243c4

      SHA256

      8f1ccc02e99adc67b76a316c35aa86d1f52ffc2347b719d00faed8e80b9268ba

      SHA512

      586500a7d432315ad3d0ad67c9be4334a5e9d6d2312025762b9c88748d112b6667f13c1f9d4662c18792778381f2faf7a7fcfe594605fc3c8901e8cfda86c9a5

      Download Submit

    • C:\Windows\SysWOW64\msnat6dcf756f.exe
      Filesize

      178KB

      MD5

      4a05f5a287555306a426e091d5fdf770

      SHA1

      3fab28a236c180d071f054d2ac183ef59ec243c4

      SHA256

      8f1ccc02e99adc67b76a316c35aa86d1f52ffc2347b719d00faed8e80b9268ba

      SHA512

      586500a7d432315ad3d0ad67c9be4334a5e9d6d2312025762b9c88748d112b6667f13c1f9d4662c18792778381f2faf7a7fcfe594605fc3c8901e8cfda86c9a5

      Download Submit

    • memory/468-64-0x0000000000000000-mapping.dmp

      Download

    • memory/752-63-0x0000000000000000-mapping.dmp

      Download

    • memory/764-88-0x0000000020010000-0x000000002003C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/764-86-0x0000000020010000-0x000000002003C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/764-80-0x0000000020010000-0x000000002003C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/764-78-0x0000000000000000-mapping.dmp

      Download

    • memory/952-61-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/952-82-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/952-62-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/952-55-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/952-54-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/952-57-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/952-59-0x000000000043C8B0-mapping.dmp

      Download

    • memory/952-66-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/952-58-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/992-79-0x0000000000000000-mapping.dmp

      Download

    • memory/992-87-0x0000000020010000-0x000000002003C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/992-89-0x0000000020010000-0x000000002003C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1884-85-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1884-73-0x000000000043C8B0-mapping.dmp

      Download