Overview

overview

10

Static

static

8

c913c6b385...fc.exe

windows7-x64

10

c913c6b385...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    27s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c913c6b385e462a633721d38ec1fbe065656fbfedfcdfc7999120534d6b03dfc.exe

  • Size

    46KB

  • MD5

    5354d80d4a823b570c8c6478cc9b8147

  • SHA1

    ce1fbb6a725d3201c48224241c03f26d1ff98a84

  • SHA256

    c913c6b385e462a633721d38ec1fbe065656fbfedfcdfc7999120534d6b03dfc

  • SHA512

    e380f218dcd26c70268d6acf020f371301bdf1f257c6e5c589715af197f3eab005e3fdd083dee3e2be3549d82d1b234ed41d048bcdaff343b7b8aa2262a4be18

  • SSDEEP

    768:pBRQek1xOQKW9xsimoZ1VGjg4xz+3a87UHloVdd+SUyr2wwI/DJrNFq:pTQpc3SsPoZ1eFSaMlt+ZMJJs

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:460
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k NetworkService
          2⤵
            PID:292
          • C:\Windows\system32\sppsvc.exe
            C:\Windows\system32\sppsvc.exe
            2⤵
              PID:1760
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
              2⤵
                PID:1816
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                2⤵
                  PID:1152
                • C:\Windows\system32\taskhost.exe
                  "taskhost.exe"
                  2⤵
                    PID:1092
                  • C:\Windows\System32\spoolsv.exe
                    C:\Windows\System32\spoolsv.exe
                    2⤵
                      PID:1036
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                        PID:884
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService
                        2⤵
                          PID:856
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          2⤵
                            PID:820
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                            2⤵
                              PID:752
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:680
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:596
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:416
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:380
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:368
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:484
                                      • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                        wmiadap.exe /F /T /R
                                        1⤵
                                          PID:2008
                                        • C:\Windows\Explorer.EXE
                                          C:\Windows\Explorer.EXE
                                          1⤵
                                            PID:1208
                                            • C:\Users\Admin\AppData\Local\Temp\c913c6b385e462a633721d38ec1fbe065656fbfedfcdfc7999120534d6b03dfc.exe
                                              "C:\Users\Admin\AppData\Local\Temp\c913c6b385e462a633721d38ec1fbe065656fbfedfcdfc7999120534d6b03dfc.exe"
                                              2⤵
                                              • Modifies visibility of file extensions in Explorer
                                              • Disables RegEdit via registry modification
                                              • Adds Run key to start application
                                              • Modifies Internet Explorer settings
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious behavior: MapViewOfSection
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:904
                                          • C:\Windows\system32\Dwm.exe
                                            "C:\Windows\system32\Dwm.exe"
                                            1⤵
                                              PID:1180

                                            Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • memory/904-54-0x0000000075661000-0x0000000075663000-memory.dmp

                                              Filesize

                                              8KB

                                              Download

                                            • memory/904-55-0x0000000000400000-0x000000000043F000-memory.dmp

                                              Filesize

                                              252KB

                                              Download

                                            • memory/904-56-0x0000000000400000-0x000000000043F000-memory.dmp

                                              Filesize

                                              252KB

                                              Download