Overview

overview

10

Static

static

7

6cb49d3f6d...64.exe

windows7-x64

10

6cb49d3f6d...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    9s
  • max time network
    44s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2023 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6cb49d3f6d99c8ff229760ae6f3281abf3ff4aa7c3d10665054dff086c9b7464.exe

  • Size

    1.9MB

  • MD5

    85aba7f3204c97acd594fc5d659f04a0

  • SHA1

    8ed930bf5adc538dcff3059dc3db9a5d5c5b93d3

  • SHA256

    6cb49d3f6d99c8ff229760ae6f3281abf3ff4aa7c3d10665054dff086c9b7464

  • SHA512

    c359458aeb61b3fb4fb620c7802c915f1d454f5c3fead9dc999f53082c7e3e23bc5ecdcb5f8b8c96952aabdaad038f9297ff8f24cb19d3b0ed51b3deb7468be9

  • SSDEEP

    24576:2CKSYYOkx2LFJvj0oxv2Dezv/tx3yOkx2LFrJbKkKF/eMNPjM:2/SlQXvvV2yzFx3EQT9KFeMO

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
      • C:\ProgramData\Microsoft\bthudtask.exe
        "C:\ProgramData\Microsoft\bthudtask.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:1240
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Users\Admin\AppData\Local\Temp\6cb49d3f6d99c8ff229760ae6f3281abf3ff4aa7c3d10665054dff086c9b7464.exe
        "C:\Users\Admin\AppData\Local\Temp\6cb49d3f6d99c8ff229760ae6f3281abf3ff4aa7c3d10665054dff086c9b7464.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3968
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\6cb49d3f6d99c8ff229760ae6f3281abf3ff4aa7c3d10665054dff086c9b7464.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1676
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:4856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\bthudtask.exe
      Filesize

      39KB

      MD5

      4dcd6fcabf20fbc8bfb11a9f6e4b77f0

      SHA1

      233eac2bed59b8fe167c1501ac3fda48b32a1b0c

      SHA256

      cf5ae95c9fdafe5f0cc9d7010412e84502fe66ad60f57dfdf68735b9315ff444

      SHA512

      b4293a438ba9d41e446bfb1bca3a4df4ab009882b7df2eda61607cfef77a397f6ae3c3532dc1addaa9553a0bc9f3e756d3ac377a69cf1ae537638f618e666ea3

      Download Submit

    • memory/612-156-0x0000025FEC4F0000-0x0000025FEC518000-memory.dmp

      Filesize

      160KB

      Download

    • memory/612-153-0x0000025FEC4E0000-0x0000025FEC4E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1240-150-0x00007FFCDD9D0000-0x00007FFCDD9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1240-147-0x00000141BD5A0000-0x00000141BD66B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1240-190-0x0000025FEC4F0000-0x0000025FEC518000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1240-189-0x00007FFCDD9D0000-0x00007FFCDD9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1240-151-0x00000141BD5A0000-0x00000141BD66B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1240-149-0x00000141BD5A0000-0x00000141BD66B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/3168-135-0x0000000003030000-0x0000000003033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3168-137-0x0000000003030000-0x0000000003033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3168-143-0x00000000094B0000-0x00000000095A9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/3168-136-0x00000000088E0000-0x0000000008959000-memory.dmp

      Filesize

      484KB

      Download

    • memory/3168-134-0x0000000003030000-0x0000000003033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3168-170-0x00000000088E0000-0x0000000008959000-memory.dmp

      Filesize

      484KB

      Download

    • memory/3168-140-0x0000000003210000-0x0000000003213000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3168-138-0x00000000088E0000-0x0000000008959000-memory.dmp

      Filesize

      484KB

      Download

    • memory/3168-191-0x00000000094B0000-0x00000000095A9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/3968-133-0x0000000000750000-0x0000000000852000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3968-155-0x0000000000750000-0x0000000000852000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3968-163-0x0000000000750000-0x0000000000852000-memory.dmp

      Filesize

      1.0MB

      Download