Overview

overview

8

Static

static

7

78bfcc0855...e2.exe

windows7-x64

8

78bfcc0855...e2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    19s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    16/08/2023, 06:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    78bfcc08559801a33ca17235700b47830f79de64cd98f7b3cd66f0e39a12f7e2.exe

  • Size

    889KB

  • MD5

    5268552703cd4f4010dab6f951dec767

  • SHA1

    93fadc984be53aca832c8c9188e3f15d02a96494

  • SHA256

    78bfcc08559801a33ca17235700b47830f79de64cd98f7b3cd66f0e39a12f7e2

  • SHA512

    5c58829464bf73f475a27fae47639d9cbf2dc985526ba7eed7284476c14df948a4e5d85f0777305cf175b70bc4305b13dc4e3c0ff10182e181d24028b57b3a91

  • SSDEEP

    6144:RJ1etoAWIVpTiAKhft1JEqwLcEOkCybEaQRXr9HNdvOa7AXGSqLr4Eza:XAoo7i5FMqwTOkx2LIa0EC

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 57 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\78bfcc08559801a33ca17235700b47830f79de64cd98f7b3cd66f0e39a12f7e2.exe
        "C:\Users\Admin\AppData\Local\Temp\78bfcc08559801a33ca17235700b47830f79de64cd98f7b3cd66f0e39a12f7e2.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\78bfcc08559801a33ca17235700b47830f79de64cd98f7b3cd66f0e39a12f7e2.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:596
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2672
      • C:\Windows\Logs\shutdown.exe
        "C:\Windows\Logs\shutdown.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        PID:1668
    • C:\Windows\Syswow64\94433b6
      C:\Windows\Syswow64\94433b6
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\94433b6"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:1964

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\TarB52D.tmp
            Filesize

            164KB

            MD5

            4ff65ad929cd9a367680e0e5b1c08166

            SHA1

            c0af0d4396bd1f15c45f39d3b849ba444233b3a2

            SHA256

            c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

            SHA512

            f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

            Download Submit

          • C:\Windows\Logs\shutdown.exe
            Filesize

            33KB

            MD5

            afb0227374ddf86df2d8c2e4460ba92c

            SHA1

            f1c76ade438cb46a83961c8c3722d35af8bcdd37

            SHA256

            a9abe5b78deda854d09118996b748d6ad3b35da3238fba8660602361e7323eb5

            SHA512

            51ce4b16acc07542a5a75d3f389d9cc29fcc506cdf15471edbca0043b22cba662eeca07f09dbba43c9ce945fac8e38fc35b4909cbd21547c250d68f53edb7313

            Download Submit

          • C:\Windows\SysWOW64\94433b6
            Filesize

            889KB

            MD5

            1058a5280c3daa51e7d08db2de431ca6

            SHA1

            1aa51f9247d1fd46a3c4b6f0ebbacf3b44d5317a

            SHA256

            ac30d354530fe3e17eb73f9a7b2a6acaba2de7e52390d8effeb6131fe0302f80

            SHA512

            0cdfdaafb331fa607095fbbe490d1ee39dab2cadc8c10a932d88d5b506b6228a202d3f7e5e25fba665a784595b3a8609e28ea3a346f5aed856dc89758db265b4

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            62KB

            MD5

            3ac860860707baaf32469fa7cc7c0192

            SHA1

            c33c2acdaba0e6fa41fd2f00f186804722477639

            SHA256

            d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

            SHA512

            d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

            Download Submit

          • C:\Windows\Syswow64\94433b6
            Filesize

            889KB

            MD5

            1058a5280c3daa51e7d08db2de431ca6

            SHA1

            1aa51f9247d1fd46a3c4b6f0ebbacf3b44d5317a

            SHA256

            ac30d354530fe3e17eb73f9a7b2a6acaba2de7e52390d8effeb6131fe0302f80

            SHA512

            0cdfdaafb331fa607095fbbe490d1ee39dab2cadc8c10a932d88d5b506b6228a202d3f7e5e25fba665a784595b3a8609e28ea3a346f5aed856dc89758db265b4

            Download Submit

          • \Windows\Logs\shutdown.exe
            Filesize

            33KB

            MD5

            afb0227374ddf86df2d8c2e4460ba92c

            SHA1

            f1c76ade438cb46a83961c8c3722d35af8bcdd37

            SHA256

            a9abe5b78deda854d09118996b748d6ad3b35da3238fba8660602361e7323eb5

            SHA512

            51ce4b16acc07542a5a75d3f389d9cc29fcc506cdf15471edbca0043b22cba662eeca07f09dbba43c9ce945fac8e38fc35b4909cbd21547c250d68f53edb7313

            Download Submit

          • memory/420-101-0x0000000000920000-0x0000000000948000-memory.dmp

            Filesize

            160KB

            Download

          • memory/420-94-0x0000000000700000-0x0000000000703000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1192-70-0x0000000002C00000-0x0000000002C03000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1192-72-0x0000000002C00000-0x0000000002C03000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1192-73-0x0000000006C60000-0x0000000006D57000-memory.dmp

            Filesize

            988KB

            Download

          • memory/1192-128-0x0000000006C60000-0x0000000006D57000-memory.dmp

            Filesize

            988KB

            Download

          • memory/1192-71-0x0000000002C00000-0x0000000002C03000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1668-92-0x0000000000400000-0x00000000004CB000-memory.dmp

            Filesize

            812KB

            Download

          • memory/1668-77-0x0000000000110000-0x00000000001D3000-memory.dmp

            Filesize

            780KB

            Download

          • memory/1668-158-0x0000000001F60000-0x0000000001F61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1668-82-0x00000000001E0000-0x00000000001E3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1668-91-0x000007FEBE1E0000-0x000007FEBE1F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1668-87-0x0000000000400000-0x00000000004CB000-memory.dmp

            Filesize

            812KB

            Download

          • memory/1668-156-0x0000000037BC0000-0x0000000037BD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1668-89-0x0000000000400000-0x00000000004CB000-memory.dmp

            Filesize

            812KB

            Download

          • memory/1668-155-0x0000000000400000-0x00000000004CB000-memory.dmp

            Filesize

            812KB

            Download

          • memory/1668-145-0x0000000000400000-0x00000000004CB000-memory.dmp

            Filesize

            812KB

            Download

          • memory/1668-79-0x0000000000060000-0x0000000000061000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2488-86-0x0000000000220000-0x00000000002AE000-memory.dmp

            Filesize

            568KB

            Download

          • memory/2488-54-0x0000000000220000-0x00000000002AE000-memory.dmp

            Filesize

            568KB

            Download

          • memory/2488-98-0x0000000000220000-0x00000000002AE000-memory.dmp

            Filesize

            568KB

            Download

          • memory/2828-127-0x00000000002C0000-0x000000000034E000-memory.dmp

            Filesize

            568KB

            Download

          • memory/2828-57-0x00000000002C0000-0x000000000034E000-memory.dmp

            Filesize

            568KB

            Download

          • memory/2828-90-0x00000000002C0000-0x000000000034E000-memory.dmp

            Filesize

            568KB

            Download

          • memory/2828-100-0x00000000002C0000-0x000000000034E000-memory.dmp

            Filesize

            568KB

            Download