Overview

overview

8

Static

static

8

ab630db6cf...f7.exe

windows7-x64

8

ab630db6cf...f7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 23:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab630db6cf89867cc8037af5da08fa39259e671ef65fb4ecae35c015a633dbf7.exe

  • Size

    238KB

  • MD5

    da0d379af51fd10a8ca99b7ff84b2779

  • SHA1

    97ba43eba04bda9ff3067f12f282bae22afbc62d

  • SHA256

    ab630db6cf89867cc8037af5da08fa39259e671ef65fb4ecae35c015a633dbf7

  • SHA512

    d3ef568950f5f201b134ac7de139ae053233aac76788fa8ea6fd83317d55100c473647774ee482f6525785420deb4b880ba1d747590d3905486cdc3d786e4235

  • SSDEEP

    6144:5oSk2d/iP1FMxld3qac3TMfKC3XSTKGXylljag8dj:5oSk2d/iYld323TKFGX+BaHdj

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1240
      • C:\Users\Admin\AppData\Local\Temp\ab630db6cf89867cc8037af5da08fa39259e671ef65fb4ecae35c015a633dbf7.exe
        "C:\Users\Admin\AppData\Local\Temp\ab630db6cf89867cc8037af5da08fa39259e671ef65fb4ecae35c015a633dbf7.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1256
        • \??\c:\users\admin\appdata\local\temp\ab630db6cf89867cc8037af5da08fa39259e671ef65fb4ecae35c015a633dbf7.exe
          "c:\users\admin\appdata\local\temp\ab630db6cf89867cc8037af5da08fa39259e671ef65fb4ecae35c015a633dbf7.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1356
          • C:\Users\Admin\AppData\Roaming\Ucfix\ager.exe
            "C:\Users\Admin\AppData\Roaming\Ucfix\ager.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1732
            • \??\c:\users\admin\appdata\roaming\ucfix\ager.exe
              "c:\users\admin\appdata\roaming\ucfix\ager.exe"
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:660
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc12a7397.bat"
            4⤵
            • Deletes itself
            PID:1164
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1184
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1124
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1148
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:1924
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:892
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                1⤵
                  PID:1932
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                  1⤵
                    PID:1912
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                    1⤵
                      PID:1708
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                      1⤵
                        PID:1064
                      • C:\Windows\system32\DllHost.exe
                        C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                        1⤵
                          PID:1936

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\tmpc12a7397.bat
                          Filesize

                          307B

                          MD5

                          d7f082d106810c25c2d43566d97c203d

                          SHA1

                          f35c03898c02d2b410f579806f05ef8f7bcfc1e9

                          SHA256

                          83f11481d1e79733e4b41d751e14624bcce85361bec2def3858d4d11572eb79d

                          SHA512

                          ca49a15ff75ae893b0a1b6ac6223751afd0ab75fcee2c474a6909ed9ffe8fc66bcc5406575adedf5ec835f037e7840ccea75f09985bdf5787ccaa58b5b6a166e

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Ucfix\ager.exe
                          Filesize

                          238KB

                          MD5

                          97ea0c6bf4b9a7d6ea1ff8f2eb787b5a

                          SHA1

                          90b93dc193d59abd109e455f38193122989491ae

                          SHA256

                          86a53108143a233bcbb2b72087aa0d587dcd494e1f58ddad5c0c0c30ce73410e

                          SHA512

                          fb3e1ddbc5ab69c1caa29e280fddd91aca428ec295b4d3a1bbbea12612fa614fb2440fa7822c87fbe1cb76e2e30716fc449ee4a95582004a5b554d61f17b0861

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Ucfix\ager.exe
                          Filesize

                          238KB

                          MD5

                          97ea0c6bf4b9a7d6ea1ff8f2eb787b5a

                          SHA1

                          90b93dc193d59abd109e455f38193122989491ae

                          SHA256

                          86a53108143a233bcbb2b72087aa0d587dcd494e1f58ddad5c0c0c30ce73410e

                          SHA512

                          fb3e1ddbc5ab69c1caa29e280fddd91aca428ec295b4d3a1bbbea12612fa614fb2440fa7822c87fbe1cb76e2e30716fc449ee4a95582004a5b554d61f17b0861

                          Download Submit

                        • \??\c:\users\admin\appdata\roaming\ucfix\ager.exe
                          Filesize

                          238KB

                          MD5

                          97ea0c6bf4b9a7d6ea1ff8f2eb787b5a

                          SHA1

                          90b93dc193d59abd109e455f38193122989491ae

                          SHA256

                          86a53108143a233bcbb2b72087aa0d587dcd494e1f58ddad5c0c0c30ce73410e

                          SHA512

                          fb3e1ddbc5ab69c1caa29e280fddd91aca428ec295b4d3a1bbbea12612fa614fb2440fa7822c87fbe1cb76e2e30716fc449ee4a95582004a5b554d61f17b0861

                          Download Submit

                        • \Users\Admin\AppData\Roaming\Ucfix\ager.exe
                          Filesize

                          238KB

                          MD5

                          97ea0c6bf4b9a7d6ea1ff8f2eb787b5a

                          SHA1

                          90b93dc193d59abd109e455f38193122989491ae

                          SHA256

                          86a53108143a233bcbb2b72087aa0d587dcd494e1f58ddad5c0c0c30ce73410e

                          SHA512

                          fb3e1ddbc5ab69c1caa29e280fddd91aca428ec295b4d3a1bbbea12612fa614fb2440fa7822c87fbe1cb76e2e30716fc449ee4a95582004a5b554d61f17b0861

                          Download Submit

                        • \Users\Admin\AppData\Roaming\Ucfix\ager.exe
                          Filesize

                          238KB

                          MD5

                          97ea0c6bf4b9a7d6ea1ff8f2eb787b5a

                          SHA1

                          90b93dc193d59abd109e455f38193122989491ae

                          SHA256

                          86a53108143a233bcbb2b72087aa0d587dcd494e1f58ddad5c0c0c30ce73410e

                          SHA512

                          fb3e1ddbc5ab69c1caa29e280fddd91aca428ec295b4d3a1bbbea12612fa614fb2440fa7822c87fbe1cb76e2e30716fc449ee4a95582004a5b554d61f17b0861

                          Download Submit

                        • memory/660-117-0x0000000000400000-0x000000000043B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/660-104-0x0000000000400000-0x000000000043B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/892-123-0x0000000001B70000-0x0000000001BAB000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/892-122-0x0000000001B70000-0x0000000001BAB000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/892-121-0x0000000001B70000-0x0000000001BAB000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/892-120-0x0000000001B70000-0x0000000001BAB000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1124-90-0x0000000001C00000-0x0000000001C3B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1124-86-0x0000000001C00000-0x0000000001C3B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1124-87-0x0000000001C00000-0x0000000001C3B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1124-89-0x0000000001C00000-0x0000000001C3B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1148-110-0x0000000003A50000-0x0000000003A8B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1148-108-0x0000000003A50000-0x0000000003A8B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1148-107-0x0000000003A50000-0x0000000003A8B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1148-109-0x0000000003A50000-0x0000000003A8B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1184-93-0x0000000001C80000-0x0000000001CBB000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1184-96-0x0000000001C80000-0x0000000001CBB000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1184-95-0x0000000001C80000-0x0000000001CBB000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1184-97-0x0000000001C80000-0x0000000001CBB000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1240-103-0x0000000002940000-0x000000000297B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1240-100-0x0000000002940000-0x000000000297B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1240-101-0x0000000002940000-0x000000000297B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1240-102-0x0000000002940000-0x000000000297B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1256-63-0x0000000000400000-0x000000000040E000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/1356-57-0x0000000000400000-0x000000000043B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1356-88-0x0000000000400000-0x000000000043B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1356-65-0x0000000000400000-0x000000000043B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1356-64-0x0000000075091000-0x0000000075093000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/1356-54-0x0000000000400000-0x000000000043B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1356-55-0x0000000000400000-0x000000000043B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1356-60-0x0000000000400000-0x000000000043B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1356-58-0x0000000000400000-0x000000000043B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1732-80-0x0000000000400000-0x000000000040E000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/1912-132-0x0000000000350000-0x000000000038B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1912-133-0x0000000000350000-0x000000000038B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1924-113-0x0000000000340000-0x000000000037B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1924-116-0x0000000000340000-0x000000000037B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1924-114-0x0000000000340000-0x000000000037B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1924-115-0x0000000000340000-0x000000000037B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1932-126-0x0000000000210000-0x000000000024B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1932-127-0x0000000000210000-0x000000000024B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1932-128-0x0000000000210000-0x000000000024B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/1932-129-0x0000000000210000-0x000000000024B000-memory.dmp

                          Filesize

                          236KB

                          Download