Overview

overview

7

Static

static

7

efc7ea3ab3...82.exe

windows7-x64

7

efc7ea3ab3...82.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/08/2023, 13:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    efc7ea3ab3f50be1029db7fb0a203539f84c5149dd2cd91be682dde994f17982.exe

  • Size

    1.3MB

  • MD5

    e1d26bd1dccb194f3d1df2bf3012ce84

  • SHA1

    90d73af8ad91c1733d66f8a3df1c010a4fdfa44f

  • SHA256

    efc7ea3ab3f50be1029db7fb0a203539f84c5149dd2cd91be682dde994f17982

  • SHA512

    38676d06c9e72a83c3e25deb621290199c624e6e3a50269d2fecf54ffeda9882e10f91bca0ec0a044921e9e73037f64e2fd17e964247feeb4cdd2ae6fea96424

  • SSDEEP

    24576:dBvj/Hs8LVc+7wFpK33BNxR1Un7Vm4ooyGsg7k22mzahCcLNnnOsi:dBvNVIDqZ1Xv47x2mza8Y4

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\efc7ea3ab3f50be1029db7fb0a203539f84c5149dd2cd91be682dde994f17982.exe
    "C:\Users\Admin\AppData\Local\Temp\efc7ea3ab3f50be1029db7fb0a203539f84c5149dd2cd91be682dde994f17982.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4308
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
        3⤵
          PID:3844
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\xiaodaxzqxia\A.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4916
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\xiaodaxzqxia\n.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4000
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
            4⤵
              PID:2024
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4148

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Public\xiaodaxzqxia\A.vbs
                Filesize

                107B

                MD5

                bcb223ea9c0598f04684216bcd0e12a6

                SHA1

                2661c8fbca3654a29fa261def7f16ea23a6f3165

                SHA256

                ef2113720c94cbe4cb494d6e24d26803b4b1a094e35e4285cd4a2f5665ef2c37

                SHA512

                77e440462544ca9f711f9241096601060080f5751651cab8a796d57ed74c424f03a9237a653c17a386c1ef654e6192d0e54080632dacff15a28a46564e639682

                Download Submit

              • C:\Users\Public\xiaodaxzqxia\n.bat
                Filesize

                263B

                MD5

                c7d8b33e05722104d63de564a5d92b01

                SHA1

                fd703f1c71ac1dae65dc34f3521854604cec8091

                SHA256

                538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

                SHA512

                54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

                Download Submit

              • memory/1040-0-0x0000000000400000-0x0000000000723000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/1040-8-0x0000000000400000-0x0000000000723000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/1040-14-0x0000000000400000-0x0000000000723000-memory.dmp

                Filesize

                3.1MB

                Download