Overview

overview

8

Static

static

a8af0e6f28...1c.exe

windows7-x64

8

a8af0e6f28...1c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    109s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8af0e6f28cb7af0fe69178cf7b3f43f4e2b72330adda228c8e459bb850d221c.exe

  • Size

    418KB

  • MD5

    43df57a48f3a3977ce9a303dd895c26f

  • SHA1

    d5e26f548c7f9a250de6463497eefb76dbdf48d0

  • SHA256

    a8af0e6f28cb7af0fe69178cf7b3f43f4e2b72330adda228c8e459bb850d221c

  • SHA512

    e1762d6e79a9d3af210e4b4b2791b1538739c918a9cf60228d291a705dcfb272101c1a69b32b2f45611c8166a78957446a9aa3f2596efd8dd305082da59b329e

  • SSDEEP

    6144:BsL4xsQN9iR/3E5RLR7fxZeYXP3JItQCMf0BVgSpShQNIyFsrQAIUBdaCp:Bs0xsS9g8LxxZrXP3YxISpSh/yFsUU

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8af0e6f28cb7af0fe69178cf7b3f43f4e2b72330adda228c8e459bb850d221c.exe
    "C:\Users\Admin\AppData\Local\Temp\a8af0e6f28cb7af0fe69178cf7b3f43f4e2b72330adda228c8e459bb850d221c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\ProgramData\jIc01812gLbCa01812\jIc01812gLbCa01812.exe
      "C:\ProgramData\jIc01812gLbCa01812\jIc01812gLbCa01812.exe" BOMBARDAMAXIMUM
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:808
    • C:\ProgramData\jIc01812gLbCa01812\jIc01812gLbCa01812.exe
      "C:\ProgramData\jIc01812gLbCa01812\jIc01812gLbCa01812.exe" "C:\Users\Admin\AppData\Local\Temp\a8af0e6f28cb7af0fe69178cf7b3f43f4e2b72330adda228c8e459bb850d221c.exe"
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1464

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\jIc01812gLbCa01812\jIc01812gLbCa01812
    Filesize

    192B

    MD5

    c44626c4eb9b33083ff8e47f2685283c

    SHA1

    69cc7eb8390426f50272c0b0efb80f04356086b2

    SHA256

    79a10bb4dbc3065d24e5d72323beaef2a38f06145fafa6f2d37dd511eccfc61d

    SHA512

    774fa5c0145cab175035bf06c864d73b82a60cc305805ddc861e239d5e8f021097950c474e9e19f46e64ce3633917af523dd02d312d6e5e83f68bbf8a4b00b58

    Download Submit

  • C:\ProgramData\jIc01812gLbCa01812\jIc01812gLbCa01812.exe
    Filesize

    418KB

    MD5

    7ad525df4bb971a0161c774d4660d0bb

    SHA1

    ec6da33d922a95f329116a1c0b6801769e660470

    SHA256

    2c80eb8444570ea1d9df1b2035f09221d69cedfe7ffd3f5f83a45d8e704aaea1

    SHA512

    cf1995646915344006a5234efc047dc3fdeb6a9a1b8e82d106a8c5236fc7fd5b4202b9a1a881760595e6f661d40065de0056af81b5a3bde37781e17a602d6449

    Download Submit

  • C:\ProgramData\jIc01812gLbCa01812\jIc01812gLbCa01812.exe
    Filesize

    418KB

    MD5

    7ad525df4bb971a0161c774d4660d0bb

    SHA1

    ec6da33d922a95f329116a1c0b6801769e660470

    SHA256

    2c80eb8444570ea1d9df1b2035f09221d69cedfe7ffd3f5f83a45d8e704aaea1

    SHA512

    cf1995646915344006a5234efc047dc3fdeb6a9a1b8e82d106a8c5236fc7fd5b4202b9a1a881760595e6f661d40065de0056af81b5a3bde37781e17a602d6449

    Download Submit

  • C:\ProgramData\jIc01812gLbCa01812\jIc01812gLbCa01812.exe
    Filesize

    418KB

    MD5

    7ad525df4bb971a0161c774d4660d0bb

    SHA1

    ec6da33d922a95f329116a1c0b6801769e660470

    SHA256

    2c80eb8444570ea1d9df1b2035f09221d69cedfe7ffd3f5f83a45d8e704aaea1

    SHA512

    cf1995646915344006a5234efc047dc3fdeb6a9a1b8e82d106a8c5236fc7fd5b4202b9a1a881760595e6f661d40065de0056af81b5a3bde37781e17a602d6449

    Download Submit

  • \ProgramData\jIc01812gLbCa01812\jIc01812gLbCa01812.exe
    Filesize

    418KB

    MD5

    7ad525df4bb971a0161c774d4660d0bb

    SHA1

    ec6da33d922a95f329116a1c0b6801769e660470

    SHA256

    2c80eb8444570ea1d9df1b2035f09221d69cedfe7ffd3f5f83a45d8e704aaea1

    SHA512

    cf1995646915344006a5234efc047dc3fdeb6a9a1b8e82d106a8c5236fc7fd5b4202b9a1a881760595e6f661d40065de0056af81b5a3bde37781e17a602d6449

    Download Submit

  • memory/808-64-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/808-56-0x0000000000000000-mapping.dmp

    Download

  • memory/808-68-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/896-62-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/896-58-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/896-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1464-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1464-67-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download