Overview

overview

10

Static

static

1546b36e98...70.exe

windows7-x64

10

1546b36e98...70.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    226s
  • max time network
    309s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 15:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1546b36e987b73fc65accc5b0c1c885224bd4a6d97f2d0a7ae41e079dfe9b770.exe

  • Size

    57KB

  • MD5

    35e31932ceaac4665ae78504c51bc193

  • SHA1

    58ff7642da3251bfaecdd21b590a3a727481a314

  • SHA256

    1546b36e987b73fc65accc5b0c1c885224bd4a6d97f2d0a7ae41e079dfe9b770

  • SHA512

    1cb3eda27a34a49f7af8f6fedd8aaf42a5483b61ded9901d87c2137b47db6aff2cc2493e4bc5b910612f9ce6b18ddd5e7a39d49fc6dc764421f726143dc412d3

  • SSDEEP

    768:G+w2ABUMRfepD7H3az61T818/gy0ScBJX5vXQkdAlaf57vvJYlpUxbaSz:GuZj3aSV/rcPlBdAa7vqlpUxba

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1546b36e987b73fc65accc5b0c1c885224bd4a6d97f2d0a7ae41e079dfe9b770.exe
    "C:\Users\Admin\AppData\Local\Temp\1546b36e987b73fc65accc5b0c1c885224bd4a6d97f2d0a7ae41e079dfe9b770.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Users\Admin\AppData\Local\Temp\1546b36e987b73fc65accc5b0c1c885224bd4a6d97f2d0a7ae41e079dfe9b770.exe
      "C:\Users\Admin\AppData\Local\Temp\1546b36e987b73fc65accc5b0c1c885224bd4a6d97f2d0a7ae41e079dfe9b770.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: MapViewOfSection
      PID:1120
  • C:\Windows\syswow64\svchost.exe
    "C:\Windows\syswow64\svchost.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:704
    • C:\Windows\SysWOW64\ctfmon.exe
      ctfmon.exe
      2⤵
      • Suspicious use of FindShellTrayWindow
      PID:924

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/704-70-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/872-62-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/872-54-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1120-64-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1120-59-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1120-63-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1120-58-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1120-65-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1120-66-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1120-67-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1120-56-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1120-55-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1244-68-0x0000000077A90000-0x0000000077C39000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1244-69-0x00000000029A0000-0x00000000029A7000-memory.dmp

          Filesize

          28KB

          Download