Overview

overview

10

Static

static

7

2156012039...fa.exe

windows7-x64

10

2156012039...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2023 09:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    215601203945b53a44e0344ac6e3e410bdb9a21d418e8068ee43eceee858c4fa.exe

  • Size

    2.3MB

  • MD5

    e411dafeed1860501790f8ae6ae7a95d

  • SHA1

    fcb250e133067714ff87bf1483c7d3e11d6fc1be

  • SHA256

    215601203945b53a44e0344ac6e3e410bdb9a21d418e8068ee43eceee858c4fa

  • SHA512

    f52f0ad99cd9acdff0693b528395f6040b23de8019e892a9c86beac1f5c6f56418224aa9f54490324cd1ae54a502ba338162f083ee1a7a464e97a045ca06270e

  • SSDEEP

    49152:4vODijuUoszTB8QXnQv6tj1SQYSQG9KFeMs:4mDb6ZEQFZ0Fep

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Windows directory 4 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
      • C:\Windows\repair-bde.exe
        "C:\Windows\repair-bde.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2956
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Users\Admin\AppData\Local\Temp\215601203945b53a44e0344ac6e3e410bdb9a21d418e8068ee43eceee858c4fa.exe
        "C:\Users\Admin\AppData\Local\Temp\215601203945b53a44e0344ac6e3e410bdb9a21d418e8068ee43eceee858c4fa.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\215601203945b53a44e0344ac6e3e410bdb9a21d418e8068ee43eceee858c4fa.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab73BB.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarB34D.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a187130b.tmp
      Filesize

      14.5MB

      MD5

      6697f78c0dffa2e0b851046aaf272101

      SHA1

      b91aeb9e6d4d99778a4fe27da2457cdb321e8bfe

      SHA256

      354b9545fbb292faea96eadbef7c85caf0f6f72b915e567044833fdfc2b923f0

      SHA512

      fd5d44c6aa0c791e77bfec1436e810b1ef6cd1c92937faa060b6688b5dd4a47268189639e628e2fed8ce57ad04b0e816f18b16d2a3e69e60cbd16049948766d4

      Download Submit

    • C:\Windows\repair-bde.exe
      Filesize

      50KB

      MD5

      5a1976e146c82ee36611ad47df626b1e

      SHA1

      696997006997c0d30c15f90749dfab1ebfce85ad

      SHA256

      68153f44639bea2e3e89e90063d27d434b847d1a752468e2b0bc0e7dba0b15cf

      SHA512

      4d146efdc5c416a363b2de2cb484d49f8dcd42b80cb12faeeb550c4a6fde738e089d13fc772fb69d71d438ba025171867c2a3d1d8401acfbc12423c4501f86bc

      Download Submit

    • memory/424-80-0x00000000007F0000-0x0000000000818000-memory.dmp

      Filesize

      160KB

      Download

    • memory/424-79-0x0000000000270000-0x000000000033B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/424-59-0x0000000000390000-0x00000000003B1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1424-77-0x0000000003CA0000-0x0000000003D19000-memory.dmp

      Filesize

      484KB

      Download

    • memory/1424-6-0x0000000003CA0000-0x0000000003D19000-memory.dmp

      Filesize

      484KB

      Download

    • memory/1424-36-0x0000000004320000-0x0000000004321000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1424-35-0x0000000004310000-0x0000000004313000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1424-38-0x0000000009100000-0x00000000091F9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1424-3-0x0000000002200000-0x0000000002203000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1424-32-0x0000000004310000-0x0000000004313000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1424-4-0x0000000002200000-0x0000000002203000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1424-112-0x0000000009100000-0x00000000091F9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1424-24-0x00000000069F0000-0x0000000006AE4000-memory.dmp

      Filesize

      976KB

      Download

    • memory/1424-26-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1424-106-0x0000000004320000-0x0000000004321000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1424-7-0x0000000002200000-0x0000000002203000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2020-56-0x00000000000A0000-0x00000000001A5000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2020-63-0x00000000000A0000-0x00000000001A5000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2020-0-0x00000000000A0000-0x00000000001A5000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2956-110-0x00000000372E0000-0x00000000372F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2956-119-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2956-57-0x000007FEBD600000-0x000007FEBD610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2956-58-0x0000000000270000-0x000000000033B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2956-113-0x00000000007F0000-0x0000000000818000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2956-53-0x0000000000270000-0x000000000033B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2956-114-0x0000000000270000-0x000000000033B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2956-115-0x0000000000270000-0x000000000033B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2956-116-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2956-117-0x00000000007F0000-0x0000000000818000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2956-118-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2956-54-0x0000000000270000-0x000000000033B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2956-120-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2956-121-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2956-52-0x0000000000090000-0x0000000000093000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2956-135-0x0000000004630000-0x00000000047F5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2956-136-0x0000000004630000-0x00000000047F5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2956-137-0x0000000001F00000-0x0000000001F01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2956-138-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2956-139-0x0000000001F00000-0x0000000001F01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2956-140-0x0000000004630000-0x00000000047F5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2956-41-0x0000000000130000-0x00000000001F3000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2956-148-0x0000000004630000-0x00000000047F5000-memory.dmp

      Filesize

      1.8MB

      Download