Overview

overview

10

Static

static

1

82d48c9bb4...0f.exe

windows7-x64

10

82d48c9bb4...0f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2023 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe

  • Size

    421KB

  • MD5

    92b8b8d35ba16bf772e1c3c55972ccda

  • SHA1

    4cb1fcef30fdcfe0f590ba1f223787939257ba36

  • SHA256

    82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f

  • SHA512

    fed3b35b7f131fc80ca8d21f697ea0e91f3b9ed04eb36087b5d652a3396ce46e649dd6f401839ca0235a1c7bcd7e777c7cf27898ae00fe3dfe1712f0064b6be6

  • SSDEEP

    6144:vmOPuFNlaapl0zQwY0CyKlBGfpnAW4VKDkjdl8Jp42KcUMhmtL6Rt93WhX3A1maq:AlhpcCyKOf8l8D42XmxOt93OXQ1eoU

Score
7/10

Malware Config

Signatures

  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe
    "C:\Users\Admin\AppData\Local\Temp\82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Users\Admin\AppData\Local\Temp\82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsd67B4.tmp\System.dll
    Filesize

    11KB

    MD5

    9625d5b1754bc4ff29281d415d27a0fd

    SHA1

    80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

    SHA256

    c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

    SHA512

    dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsd67B4.tmp\System.dll
    Filesize

    11KB

    MD5

    9625d5b1754bc4ff29281d415d27a0fd

    SHA1

    80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

    SHA256

    c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

    SHA512

    dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsd67B4.tmp\System.dll
    Filesize

    11KB

    MD5

    9625d5b1754bc4ff29281d415d27a0fd

    SHA1

    80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

    SHA256

    c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

    SHA512

    dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

    Download Submit

  • memory/3484-147-0x0000000000400000-0x00000000005E4000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3484-148-0x0000000077058000-0x0000000077059000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3484-149-0x0000000077075000-0x0000000077076000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3484-150-0x0000000076FD1000-0x00000000770F1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3484-151-0x0000000000400000-0x00000000005E4000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4728-144-0x0000000076FD1000-0x00000000770F1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4728-145-0x0000000076FD1000-0x00000000770F1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4728-146-0x0000000010000000-0x0000000010006000-memory.dmp

    Filesize

    24KB

    Download