Overview

overview

8

Static

static

db51d4e238...c0.exe

windows7-x64

8

db51d4e238...c0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    153s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 15:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    db51d4e238523e7ac7363388b5b11feb4f02f2ebc186b69b4b92eb64363e44c0.exe

  • Size

    529KB

  • MD5

    23d856899a2c11ae7a53b052a9c3196b

  • SHA1

    56b5728777ebe1b88bf595e771974e3467b67bcc

  • SHA256

    db51d4e238523e7ac7363388b5b11feb4f02f2ebc186b69b4b92eb64363e44c0

  • SHA512

    9dd389c5dc3e0ae759cbe4d76829c54682cf53e860b062d14b389b551b9c6487634e71529f175f08fc9fb2e5e5f92a4379f03a5a2c9d5908a16541678746edcf

  • SSDEEP

    12288:o/bkjKz+EFmhlot+zB1xINdSrvvnAXlS2oh+SOqQFHynlJWv0:3i38nxINdSDvn8S2cZOdHynGv

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db51d4e238523e7ac7363388b5b11feb4f02f2ebc186b69b4b92eb64363e44c0.exe
    "C:\Users\Admin\AppData\Local\Temp\db51d4e238523e7ac7363388b5b11feb4f02f2ebc186b69b4b92eb64363e44c0.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\ProgramData\mM28604ClJeM28604\mM28604ClJeM28604.exe
      "C:\ProgramData\mM28604ClJeM28604\mM28604ClJeM28604.exe" "C:\Users\Admin\AppData\Local\Temp\db51d4e238523e7ac7363388b5b11feb4f02f2ebc186b69b4b92eb64363e44c0.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4372

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\mM28604ClJeM28604\mM28604ClJeM28604.exe
          Filesize

          529KB

          MD5

          be0409fa7d68eb04ef0592741d8beb55

          SHA1

          806ff77bfc33847861e097e0fb8d35a9bd8ab748

          SHA256

          3fc9f35533c8e4dda5d6db7142806f4abe933b07ab82a487669537d436fca767

          SHA512

          f34b2a5f80267234642302f3cb29771eaa8e80e2a9bd5b93d7cde503dac36e5c158a38c055bfb9307c0dd6b8de8577ec759560cbd1b43c6e720c7b291bd53e2c

          Download Submit

        • C:\ProgramData\mM28604ClJeM28604\mM28604ClJeM28604.exe
          Filesize

          529KB

          MD5

          be0409fa7d68eb04ef0592741d8beb55

          SHA1

          806ff77bfc33847861e097e0fb8d35a9bd8ab748

          SHA256

          3fc9f35533c8e4dda5d6db7142806f4abe933b07ab82a487669537d436fca767

          SHA512

          f34b2a5f80267234642302f3cb29771eaa8e80e2a9bd5b93d7cde503dac36e5c158a38c055bfb9307c0dd6b8de8577ec759560cbd1b43c6e720c7b291bd53e2c

          Download Submit

        • memory/3140-132-0x0000000000400000-0x00000000004D9000-memory.dmp

          Filesize

          868KB

          Download

        • memory/3140-133-0x0000000000734000-0x0000000000780000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3140-137-0x0000000000400000-0x00000000004D9000-memory.dmp

          Filesize

          868KB

          Download

        • memory/4372-138-0x0000000000400000-0x00000000004D9000-memory.dmp

          Filesize

          868KB

          Download

        • memory/4372-139-0x0000000000734000-0x0000000000780000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4372-140-0x0000000000734000-0x0000000000780000-memory.dmp

          Filesize

          304KB

          Download