Overview

overview

7

Static

static

7

athena_pub_free.exe

windows7-x64

7

athena_pub_free.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2023, 15:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    athena_pub_free.exe

  • Size

    809KB

  • MD5

    6f7b16c33986fbfde47534524a5f8d8d

  • SHA1

    c0a9d3357ddf611cac70505475652976eebf696f

  • SHA256

    ce21f4bdad7ec8aabb8df47bde4cb8227bb414c8a1e977451770e6a5ffa6c538

  • SHA512

    f3bc1e207d84f25c713ccdce6da281ffcf12f031f7dc926ed8f07af9ee6215ceddd5ec1a4f6c658d0a24cdee45cf0f9aa818e6f8c562abecdcec5f8ea71a4010

  • SSDEEP

    12288:VXe9PPlowWX0t6mOQwg1Qd15CcYk0We1HDpe+uJ5l1QHq1c7dGuW2pKcDgtFtfyL:chloDX0XOf4ze+uJ5nPc7CyXNNj

Score
7/10
persistenceupx

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\athena_pub_free.exe
    "C:\Users\Admin\AppData\Local\Temp\athena_pub_free.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn CZMTXM.exe /tr C:\Users\Admin\AppData\Roaming\Windata\EHGWII.exe /sc minute /mo 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn CZMTXM.exe /tr C:\Users\Admin\AppData\Roaming\Windata\EHGWII.exe /sc minute /mo 1
        3⤵
        • Creates scheduled task(s)
        PID:3736
    • C:\Windows\SysWOW64\WSCript.exe
      WSCript C:\Users\Admin\AppData\Local\Temp\CZMTXM.vbs
      2⤵
        PID:1904
    • C:\Users\Admin\AppData\Roaming\Windata\EHGWII.exe
      C:\Users\Admin\AppData\Roaming\Windata\EHGWII.exe
      1⤵
      • Executes dropped EXE
      PID:3028
    • C:\Users\Admin\AppData\Roaming\Windata\EHGWII.exe
      C:\Users\Admin\AppData\Roaming\Windata\EHGWII.exe
      1⤵
      • Executes dropped EXE
      PID:4760

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\CZMTXM.vbs
            Filesize

            850B

            MD5

            bd814346dd5876c4fadb606f068e8c23

            SHA1

            3712110dfda82806608a035d8293c727f557b4d8

            SHA256

            af84b98001a4ddeadaa79bfc9c2c652e1a9b8e0eaf75e1fe8f1d17367453b5a2

            SHA512

            df864bbde57d7de10024b657968410348e27aa1ae00e925b18716139cb19d793dbfbac3d082aceff322601e26209e9efa2d6d46eda85909145802003fbd53b72

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Windata\EHGWII.exe
            Filesize

            809KB

            MD5

            6f7b16c33986fbfde47534524a5f8d8d

            SHA1

            c0a9d3357ddf611cac70505475652976eebf696f

            SHA256

            ce21f4bdad7ec8aabb8df47bde4cb8227bb414c8a1e977451770e6a5ffa6c538

            SHA512

            f3bc1e207d84f25c713ccdce6da281ffcf12f031f7dc926ed8f07af9ee6215ceddd5ec1a4f6c658d0a24cdee45cf0f9aa818e6f8c562abecdcec5f8ea71a4010

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Windata\EHGWII.exe
            Filesize

            809KB

            MD5

            6f7b16c33986fbfde47534524a5f8d8d

            SHA1

            c0a9d3357ddf611cac70505475652976eebf696f

            SHA256

            ce21f4bdad7ec8aabb8df47bde4cb8227bb414c8a1e977451770e6a5ffa6c538

            SHA512

            f3bc1e207d84f25c713ccdce6da281ffcf12f031f7dc926ed8f07af9ee6215ceddd5ec1a4f6c658d0a24cdee45cf0f9aa818e6f8c562abecdcec5f8ea71a4010

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Windata\EHGWII.exe
            Filesize

            809KB

            MD5

            6f7b16c33986fbfde47534524a5f8d8d

            SHA1

            c0a9d3357ddf611cac70505475652976eebf696f

            SHA256

            ce21f4bdad7ec8aabb8df47bde4cb8227bb414c8a1e977451770e6a5ffa6c538

            SHA512

            f3bc1e207d84f25c713ccdce6da281ffcf12f031f7dc926ed8f07af9ee6215ceddd5ec1a4f6c658d0a24cdee45cf0f9aa818e6f8c562abecdcec5f8ea71a4010

            Download Submit

          • memory/3028-146-0x0000000000830000-0x00000000009F4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-143-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-153-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-142-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-141-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-147-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-148-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-149-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-151-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-152-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-133-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-140-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-160-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-156-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-157-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-158-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3724-159-0x0000000000220000-0x00000000003E4000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4760-155-0x0000000000830000-0x00000000009F4000-memory.dmp

            Filesize

            1.8MB

            Download