Overview

overview

8

Static

static

8

f1bcf16b9a...3f.exe

windows7-x64

8

f1bcf16b9a...3f.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    202s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 10:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe

  • Size

    250KB

  • MD5

    4af604b1ed49f24ada9acdd4250b6b27

  • SHA1

    dec5ffcebce5861e8253c95372d6fec16cd7507d

  • SHA256

    f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f

  • SHA512

    932c9b15bb63f22e0b13247e3827dd47cc0c8070ad6899607eb6053c901dfc4e3f7e486357a2213c7e9c4c42454ce3a6ccffe14fce5741dc9a965ee4b7853ccb

  • SSDEEP

    3072:mg8j0Z4bGJv4EMi9T5/HrCDgdgkaumvtLjw5qMGZVUNKKzVEWNj/:kVKJ1J9NxgAUVUxbN7

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:460
        • C:\Windows\system32\taskhost.exe
          "taskhost.exe"
          2⤵
            PID:1124
          • C:\Windows\system32\sppsvc.exe
            C:\Windows\system32\sppsvc.exe
            2⤵
              PID:1620
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
              2⤵
                PID:1080
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                2⤵
                  PID:1032
                • C:\Windows\System32\spoolsv.exe
                  C:\Windows\System32\spoolsv.exe
                  2⤵
                    PID:112
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k NetworkService
                    2⤵
                      PID:240
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                        PID:864
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService
                        2⤵
                          PID:840
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          2⤵
                            PID:792
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                            2⤵
                              PID:740
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:664
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:588
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:416
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:376
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:368
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:484
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:332
                                        • C:\Windows\System32\smss.exe
                                          \SystemRoot\System32\smss.exe
                                          1⤵
                                            PID:260
                                          • C:\Windows\system32\wbem\wmiprvse.exe
                                            C:\Windows\system32\wbem\wmiprvse.exe
                                            1⤵
                                              PID:1980
                                            • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                              wmiadap.exe /F /T /R
                                              1⤵
                                                PID:1204
                                              • C:\Users\Admin\AppData\Local\Temp\f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe
                                                "C:\Users\Admin\AppData\Local\Temp\f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe"
                                                1⤵
                                                • Modifies Installed Components in the registry
                                                • Adds Run key to start application
                                                • Drops file in System32 directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:1396
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe"
                                                  2⤵
                                                    PID:1256
                                                • C:\Windows\Explorer.EXE
                                                  C:\Windows\Explorer.EXE
                                                  1⤵
                                                    PID:1244
                                                  • C:\Windows\system32\Dwm.exe
                                                    "C:\Windows\system32\Dwm.exe"
                                                    1⤵
                                                      PID:1208

                                                    Network

                                                    MITRE ATT&CK Enterprise v6

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • memory/260-71-0x0000000010450000-0x000000001045D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-86-0x0000000010480000-0x000000001048D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-104-0x00000000104B0000-0x00000000104BD000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-64-0x0000000000270000-0x000000000027D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-68-0x0000000010450000-0x000000001045D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-59-0x0000000000260000-0x000000000026D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-74-0x0000000010460000-0x000000001046D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-62-0x0000000000400000-0x0000000000499000-memory.dmp

                                                      Filesize

                                                      612KB

                                                      Download

                                                    • memory/1396-92-0x0000000010490000-0x000000001049D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-80-0x0000000010470000-0x000000001047D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-98-0x00000000104A0000-0x00000000104AD000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-55-0x0000000010410000-0x0000000010443000-memory.dmp

                                                      Filesize

                                                      204KB

                                                      Download

                                                    • memory/1396-110-0x00000000104C0000-0x00000000104CD000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-116-0x00000000104D0000-0x00000000104DD000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-122-0x00000000104E0000-0x00000000104ED000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/1396-128-0x00000000104F0000-0x00000000104FD000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    We care about your privacy.

                                                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.