Overview

overview

8

Static

static

8

8a785d7740...f1.exe

windows7-x64

8

8a785d7740...f1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    90s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2022 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1.exe

  • Size

    424KB

  • MD5

    be71a43737fe449b1f23280c6d8b2c41

  • SHA1

    8dc4b2be324495fb0590fff2b0435db5c8a0c966

  • SHA256

    8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1

  • SHA512

    b5a49369156762442468802daf5746be7d1cfcaf9291833fd8df1dc259717a4b3e924ef09aedc351dfb2fe89f4f9318d3808783268128ffcae1a1b7619985da0

  • SSDEEP

    6144:JHEmrnWIHf5Kt4m6bkyotM4dxtsXgrNfl0EUl0srjnLoy:JHEmjH/5KtEbkRtM0jflnUWILoy

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1.exe
    "C:\Users\Admin\AppData\Local\Temp\8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4544
    • C:\users\Public\conlhost.exe
      "C:\users\Public\conlhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\users\Public\del.bat
        3⤵
          PID:116
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64
          3⤵
          • Adds Run key to start application
          PID:3484
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64
          3⤵
            PID:4668

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\conlhost.exe
        Filesize

        424KB

        MD5

        c5aaf2ee1f64c9da26fbb58051e7335f

        SHA1

        818bebf49ba63fe5f49ab6b209df66c043986d11

        SHA256

        482fed10f60d432c1c5acc7f2def1306208e6bd9fea0d215643cffb2144c9f1c

        SHA512

        7acd457a8e105c1b661d0f153fb18cb96376119a10617190732f65f63b44f4aa56b140295ece4a7eb39dec2810a9fa73e80abb18e4f3e44ac74716524e28f882

        Download Submit

      • C:\users\Public\conlhost.exe
        Filesize

        424KB

        MD5

        c5aaf2ee1f64c9da26fbb58051e7335f

        SHA1

        818bebf49ba63fe5f49ab6b209df66c043986d11

        SHA256

        482fed10f60d432c1c5acc7f2def1306208e6bd9fea0d215643cffb2144c9f1c

        SHA512

        7acd457a8e105c1b661d0f153fb18cb96376119a10617190732f65f63b44f4aa56b140295ece4a7eb39dec2810a9fa73e80abb18e4f3e44ac74716524e28f882

        Download Submit

      • C:\users\Public\del.bat
        Filesize

        130B

        MD5

        5f5cdfa10f443290999bfe35ac997d0b

        SHA1

        dd6fbb8e678bbd62867de564f74512b8e8a9ac95

        SHA256

        66c631449f3e2dff233d83e5ad1bc88c0a021da94731c95e35990f470a4328ab

        SHA512

        513efc02cdd3446d6502040ddf83f5af9f513a39d02fdf4ee8b850f0db6879ffb9f2885f60657e909cc556d82e3aef05750e33ea716c51b6183ffc3701c14614

        Download Submit

      • memory/1056-140-0x0000000000740000-0x00000000007AE000-memory.dmp

        Filesize

        440KB

        Download

      • memory/1056-141-0x0000000000740000-0x00000000007AE000-memory.dmp

        Filesize

        440KB

        Download

      • memory/4544-132-0x0000000000390000-0x00000000003FE000-memory.dmp

        Filesize

        440KB

        Download

      • memory/4544-133-0x0000000000390000-0x00000000003FE000-memory.dmp

        Filesize

        440KB

        Download

      • memory/4544-137-0x0000000000390000-0x00000000003FE000-memory.dmp

        Filesize

        440KB

        Download