Overview

overview

9

Static

static

7

28632077ab...40.exe

windows7-x64

9

28632077ab...40.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    102s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    25-04-2023 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28632077ab5107f5925ce6cf347060312015deffd1b8472e5b06e0c133f6ff40.exe

  • Size

    188KB

  • MD5

    469eb4d876c8bd2093e47d2474fbc59b

  • SHA1

    0ff84a77d24839137002c56e9ff60c7f92080ca8

  • SHA256

    28632077ab5107f5925ce6cf347060312015deffd1b8472e5b06e0c133f6ff40

  • SHA512

    73cd7507ad38e5958f7e82fef52282eb2793d4cd1290178f0d51c9884a27e80e81bb6af266b5984ba5dfef69edde322fecd898e305cdd7e4a57519caa7abd594

  • SSDEEP

    3072:aaCAV9WB4UAZgRAg9/QHn24V5hErB4UVY+3WECnG/7NX0UV5eYka6UYV:WkWWGRC2eGB5Y+rZX/HK77

Score
9/10
evasionpersistenceransomwarespywarestealerupx

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Stops running service(s) 3 TTPs
    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28632077ab5107f5925ce6cf347060312015deffd1b8472e5b06e0c133f6ff40.exe
    "C:\Users\Admin\AppData\Local\Temp\28632077ab5107f5925ce6cf347060312015deffd1b8472e5b06e0c133f6ff40.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\system32\CMD.exe
      CMD /C RD %TEMP% /S/Q & MKDIR %TEMP%
      2⤵
        PID:1696
      • C:\Windows\system32\reg.exe
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
        2⤵
        • Adds Run key to start application
        PID:360
      • C:\Windows\system32\reg.exe
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
        2⤵
        • Adds Run key to start application
        PID:576
      • C:\Windows\system32\reg.exe
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
        2⤵
        • Adds Run key to start application
        PID:1480
      • C:\Windows\system32\CMD.exe
        CMD /C %WINDIR%\sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
        2⤵
          PID:1764
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im msiexec.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1352
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set TESTSIGNING OFF
          2⤵
          • Modifies boot configuration data using bcdedit
          PID:1196
        • C:\Windows\system32\sc.exe
          sc delete syshost32
          2⤵
          • Launches sc.exe
          PID:1540
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" CMD /C DEL /F /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.* "
          2⤵
            PID:1064
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" CMD /C DEL /F /S /Q "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.* "
            2⤵
              PID:744
            • C:\Windows\System32\notepad.exe
              "C:\Windows\System32\notepad.exe"
              2⤵
                PID:1968

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/748-54-0x000000013F2A0000-0x00000001402A0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/748-64-0x000000013F2A0000-0x00000001402A0000-memory.dmp

              Filesize

              16.0MB

              Download