Overview

overview

10

Static

static

7

3209e819ad...6c.exe

windows7-x64

10

3209e819ad...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    27-08-2023 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3209e819ad074f3fdba7604eab332018b3729c03ad9ad2990ca9d7eac051af6c.exe

  • Size

    280KB

  • MD5

    786fff8a3b319c34577825df975ffe81

  • SHA1

    f3cd84e299a754d0f69aaeea9d87deca158a43e6

  • SHA256

    3209e819ad074f3fdba7604eab332018b3729c03ad9ad2990ca9d7eac051af6c

  • SHA512

    b3460e2d63a5da8c121f309bcc9f80081fdcbd229c785ccf294382a883250739ad10cccda0292aad02c1a4bebb46175b9bbc29f2fbfbafd6a6b809c7a3b47fa9

  • SSDEEP

    6144:gXSQ8BCMis1TMrRQwy7eIeCDbccEOkCybEaQRXr9HNdvOa:gXv8BCLocRZy7eIeybaOkx2LIa

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 24 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
      • C:\Windows\Logs\WinSAT.exe
        "C:\Windows\Logs\WinSAT.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        PID:2812
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Users\Admin\AppData\Local\Temp\3209e819ad074f3fdba7604eab332018b3729c03ad9ad2990ca9d7eac051af6c.exe
        "C:\Users\Admin\AppData\Local\Temp\3209e819ad074f3fdba7604eab332018b3729c03ad9ad2990ca9d7eac051af6c.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\3209e819ad074f3fdba7604eab332018b3729c03ad9ad2990ca9d7eac051af6c.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2164
    • C:\Windows\Syswow64\f27b9824
      C:\Windows\Syswow64\f27b9824
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\f27b9824"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:1824

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\a18fbb5d.tmp
      Filesize

      14.3MB

      MD5

      5eb4565fab338a7ca2a995557be24e8d

      SHA1

      93243887b151ae7949dfb9a2914822ea8c1d4a93

      SHA256

      3e89b5810a5c0a401ffbbb64f066fd575e685542771bf19cb349aa2ca40d9980

      SHA512

      c7b7d5e38f9707cae3053a099228cb2c35952947dd76796c48bb39207bf9bc1c20d8c35f8c4445f70a4efc124b81a7a26517b9107c545a7a54956c988fe0bba4

      Download Submit

    • C:\Windows\Logs\WinSAT.exe
      Filesize

      3.8MB

      MD5

      86cc31f0a3d05c1dbd587552ff2dadff

      SHA1

      62dc3c3c35c5aaa2c8b104c523d5c68bf95922f2

      SHA256

      a6b45db4a9d9a423b85491ffd7686bd2e3baa358d72c1af6494af3069db4c316

      SHA512

      5f5156fb55773da73cd040c398093a6abec34b1248d664a9484fd8c5cc301f2186b1ba9bf214e85e872f0cfb3edcbe9eabcbff0c71f50b14cc3f3e7a64f88a38

      Download Submit

    • C:\Windows\Logs\WinSAT.exe
      Filesize

      3.8MB

      MD5

      86cc31f0a3d05c1dbd587552ff2dadff

      SHA1

      62dc3c3c35c5aaa2c8b104c523d5c68bf95922f2

      SHA256

      a6b45db4a9d9a423b85491ffd7686bd2e3baa358d72c1af6494af3069db4c316

      SHA512

      5f5156fb55773da73cd040c398093a6abec34b1248d664a9484fd8c5cc301f2186b1ba9bf214e85e872f0cfb3edcbe9eabcbff0c71f50b14cc3f3e7a64f88a38

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Windows\SysWOW64\f27b9824
      Filesize

      280KB

      MD5

      a05873b5168c412a2a0d9b45b6881d07

      SHA1

      125d7be8d15b2ac2babd54a448b95141d5f72df5

      SHA256

      eee765a4f2376d7305d6b5ba8dc87111fe60ba9a4856bd757b74d85c1ed76220

      SHA512

      79e37c9dd0ea791c2cd31bbe116c1a84c9107124e2a61c59238a711bafdf9235b649d509d31caa079ea2532bb6536f25e0eec45115c49f9e3ee66681f930c981

      Download Submit

    • C:\Windows\Syswow64\f27b9824
      Filesize

      280KB

      MD5

      a05873b5168c412a2a0d9b45b6881d07

      SHA1

      125d7be8d15b2ac2babd54a448b95141d5f72df5

      SHA256

      eee765a4f2376d7305d6b5ba8dc87111fe60ba9a4856bd757b74d85c1ed76220

      SHA512

      79e37c9dd0ea791c2cd31bbe116c1a84c9107124e2a61c59238a711bafdf9235b649d509d31caa079ea2532bb6536f25e0eec45115c49f9e3ee66681f930c981

      Download Submit

    • \Windows\Logs\WinSAT.exe
      Filesize

      3.8MB

      MD5

      86cc31f0a3d05c1dbd587552ff2dadff

      SHA1

      62dc3c3c35c5aaa2c8b104c523d5c68bf95922f2

      SHA256

      a6b45db4a9d9a423b85491ffd7686bd2e3baa358d72c1af6494af3069db4c316

      SHA512

      5f5156fb55773da73cd040c398093a6abec34b1248d664a9484fd8c5cc301f2186b1ba9bf214e85e872f0cfb3edcbe9eabcbff0c71f50b14cc3f3e7a64f88a38

      Download Submit

    • memory/420-46-0x00000000007F0000-0x0000000000818000-memory.dmp

      Filesize

      160KB

      Download

    • memory/420-45-0x00000000007F0000-0x0000000000818000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1276-54-0x00000000072D0000-0x00000000073C9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1276-116-0x0000000007540000-0x000000000760B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1276-164-0x000000000A4B0000-0x000000000A675000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1276-163-0x0000000002C40000-0x0000000002C41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1276-17-0x0000000002960000-0x0000000002963000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1276-162-0x0000000002C40000-0x0000000002C41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1276-161-0x000000000A4B0000-0x000000000A675000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1276-160-0x000000000A4B0000-0x000000000A675000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1276-159-0x0000000002B90000-0x0000000002B91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1276-158-0x0000000002B90000-0x0000000002B91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1276-157-0x0000000007540000-0x000000000760B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1276-18-0x0000000002960000-0x0000000002963000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1276-20-0x00000000072D0000-0x00000000073C9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1276-156-0x0000000002B90000-0x0000000002B91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1276-155-0x0000000002B90000-0x0000000002B91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1276-154-0x0000000007540000-0x000000000760B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1276-19-0x00000000072D0000-0x00000000073C9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1276-153-0x0000000002B40000-0x0000000002B41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1276-152-0x0000000007540000-0x000000000760B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1276-150-0x0000000037060000-0x0000000037070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1276-117-0x000007FEBD570000-0x000007FEBD580000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1276-16-0x0000000002960000-0x0000000002963000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1276-115-0x0000000002B30000-0x0000000002B33000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1276-120-0x0000000007540000-0x000000000760B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1276-118-0x0000000002B40000-0x0000000002B41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2196-0-0x0000000001390000-0x000000000141E000-memory.dmp

      Filesize

      568KB

      Download

    • memory/2196-36-0x0000000001390000-0x000000000141E000-memory.dmp

      Filesize

      568KB

      Download

    • memory/2196-47-0x0000000001390000-0x000000000141E000-memory.dmp

      Filesize

      568KB

      Download

    • memory/2492-74-0x0000000000F50000-0x0000000000FDE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/2492-101-0x0000000000F50000-0x0000000000FDE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/2492-40-0x0000000000F50000-0x0000000000FDE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/2492-3-0x0000000000F50000-0x0000000000FDE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/2812-25-0x0000000000060000-0x0000000000061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2812-100-0x0000000037060000-0x0000000037070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2812-42-0x0000000001D70000-0x0000000001E3B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2812-41-0x000007FEBD570000-0x000007FEBD580000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2812-37-0x0000000001D70000-0x0000000001E3B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2812-38-0x0000000001D70000-0x0000000001E3B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2812-103-0x0000000001D70000-0x0000000001E3B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2812-24-0x00000000001E0000-0x00000000002A3000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2812-31-0x0000000000090000-0x0000000000093000-memory.dmp

      Filesize

      12KB

      Download