Overview

overview

8

Static

static

7

78bfcc0855...e2.exe

windows7-x64

8

78bfcc0855...e2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    19s
  • max time network
    71s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2023 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78bfcc08559801a33ca17235700b47830f79de64cd98f7b3cd66f0e39a12f7e2.exe

  • Size

    889KB

  • MD5

    5268552703cd4f4010dab6f951dec767

  • SHA1

    93fadc984be53aca832c8c9188e3f15d02a96494

  • SHA256

    78bfcc08559801a33ca17235700b47830f79de64cd98f7b3cd66f0e39a12f7e2

  • SHA512

    5c58829464bf73f475a27fae47639d9cbf2dc985526ba7eed7284476c14df948a4e5d85f0777305cf175b70bc4305b13dc4e3c0ff10182e181d24028b57b3a91

  • SSDEEP

    6144:RJ1etoAWIVpTiAKhft1JEqwLcEOkCybEaQRXr9HNdvOa7AXGSqLr4Eza:XAoo7i5FMqwTOkx2LIa0EC

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 14 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Users\Admin\AppData\Local\Temp\78bfcc08559801a33ca17235700b47830f79de64cd98f7b3cd66f0e39a12f7e2.exe
        "C:\Users\Admin\AppData\Local\Temp\78bfcc08559801a33ca17235700b47830f79de64cd98f7b3cd66f0e39a12f7e2.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3904
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\78bfcc08559801a33ca17235700b47830f79de64cd98f7b3cd66f0e39a12f7e2.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:3744
      • C:\Program Files\poqexec.exe
        "C:\Program Files\poqexec.exe"
        2⤵
        • Executes dropped EXE
        PID:400
      • C:\Windows\Fonts\quser.exe
        "C:\Windows\Fonts\quser.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:4044
    • C:\Windows\Syswow64\4b317fbd
      C:\Windows\Syswow64\4b317fbd
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\4b317fbd"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4676
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:4380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\poqexec.exe
      Filesize

      484KB

      MD5

      defcc0454e7e15f7d877b707aeeb9b79

      SHA1

      8db1eaa60c575408c512e8bfb2ecd91d3e88cc49

      SHA256

      6855191b0d3bf5ee5a0d931c68a005032229bf110cbf51c31a33adbb5c64cecd

      SHA512

      315a87dd502db1db8b6c2f47a7411fca7ae95d3ae3d09e6dc45a71e1743142632ca17e8c0a2cf45d31164650169b43e10a9c0d98edee134a004a8346ce51bf54

      Download Submit

    • C:\Windows\Fonts\quser.exe
      Filesize

      25KB

      MD5

      480868aeba9c04ca04d641d5ed29937b

      SHA1

      d675361b748caf22a3c1c275ccff2d472245099c

      SHA256

      766c791edfa6eeeba0f99d6481bfe23bf59e6acb81a930b71f3aa33efbafe544

      SHA512

      8e5bf5d46ecbecf552295a9ae938becd82f18acc643256c203f8dd5538292198d10f6c3ca1571b5110ad279280caf4778e64b937be86d5a9b87f30a126893ff8

      Download Submit

    • C:\Windows\SysWOW64\4b317fbd
      Filesize

      889KB

      MD5

      1385903b1d0038a401a062f780e1a9d2

      SHA1

      5b7e5a616aba07d2d87f80dd3b95ca0471b44328

      SHA256

      ef657200860d021ac187160099753911336f5de027c252de1e152110ee56d320

      SHA512

      96e6a107c76bd80e617433b2e586e43dd59cd36a4a603b38610a4d038d5b61e433ba51ebaca14184bee4ca3045423eed7987a440ef176bb71cd755ad45a31871

      Download Submit

    • C:\Windows\SysWOW64\4b317fbd
      Filesize

      889KB

      MD5

      1385903b1d0038a401a062f780e1a9d2

      SHA1

      5b7e5a616aba07d2d87f80dd3b95ca0471b44328

      SHA256

      ef657200860d021ac187160099753911336f5de027c252de1e152110ee56d320

      SHA512

      96e6a107c76bd80e617433b2e586e43dd59cd36a4a603b38610a4d038d5b61e433ba51ebaca14184bee4ca3045423eed7987a440ef176bb71cd755ad45a31871

      Download Submit

    • memory/612-158-0x0000017100140000-0x0000017100168000-memory.dmp

      Filesize

      160KB

      Download

    • memory/780-170-0x0000000008AD0000-0x0000000008BC7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/780-138-0x0000000003100000-0x0000000003103000-memory.dmp

      Filesize

      12KB

      Download

    • memory/780-139-0x0000000003100000-0x0000000003103000-memory.dmp

      Filesize

      12KB

      Download

    • memory/780-140-0x0000000003100000-0x0000000003103000-memory.dmp

      Filesize

      12KB

      Download

    • memory/780-141-0x0000000008AD0000-0x0000000008BC7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/3904-154-0x0000000000120000-0x00000000001AE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/3904-133-0x0000000000120000-0x00000000001AE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/3904-166-0x0000000000120000-0x00000000001AE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/4044-175-0x0000029B88B60000-0x0000029B88C2B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4044-155-0x0000029B88B60000-0x0000029B88C2B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4044-153-0x00007FF956370000-0x00007FF956380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4044-150-0x0000029B88B60000-0x0000029B88C2B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4044-149-0x0000029B87100000-0x0000029B87103000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4044-152-0x0000029B88B60000-0x0000029B88C2B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4044-192-0x0000029B892C0000-0x0000029B892C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4044-191-0x00007FF956370000-0x00007FF956380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4880-159-0x0000000000930000-0x00000000009BE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/4880-174-0x0000000000930000-0x00000000009BE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/4880-137-0x0000000000930000-0x00000000009BE000-memory.dmp

      Filesize

      568KB

      Download