Overview

overview

10

Static

static

7

2156012039...fa.exe

windows7-x64

10

2156012039...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2023 09:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    215601203945b53a44e0344ac6e3e410bdb9a21d418e8068ee43eceee858c4fa.exe

  • Size

    2.3MB

  • MD5

    e411dafeed1860501790f8ae6ae7a95d

  • SHA1

    fcb250e133067714ff87bf1483c7d3e11d6fc1be

  • SHA256

    215601203945b53a44e0344ac6e3e410bdb9a21d418e8068ee43eceee858c4fa

  • SHA512

    f52f0ad99cd9acdff0693b528395f6040b23de8019e892a9c86beac1f5c6f56418224aa9f54490324cd1ae54a502ba338162f083ee1a7a464e97a045ca06270e

  • SSDEEP

    49152:4vODijuUoszTB8QXnQv6tj1SQYSQG9KFeMs:4mDb6ZEQFZ0Fep

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:632
      • C:\Windows\Inf\qwinsta.exe
        "C:\Windows\Inf\qwinsta.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3236
      • C:\Users\Admin\AppData\Local\Temp\215601203945b53a44e0344ac6e3e410bdb9a21d418e8068ee43eceee858c4fa.exe
        "C:\Users\Admin\AppData\Local\Temp\215601203945b53a44e0344ac6e3e410bdb9a21d418e8068ee43eceee858c4fa.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\215601203945b53a44e0344ac6e3e410bdb9a21d418e8068ee43eceee858c4fa.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:3012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\834127be.tmp
      Filesize

      14.5MB

      MD5

      6697f78c0dffa2e0b851046aaf272101

      SHA1

      b91aeb9e6d4d99778a4fe27da2457cdb321e8bfe

      SHA256

      354b9545fbb292faea96eadbef7c85caf0f6f72b915e567044833fdfc2b923f0

      SHA512

      fd5d44c6aa0c791e77bfec1436e810b1ef6cd1c92937faa060b6688b5dd4a47268189639e628e2fed8ce57ad04b0e816f18b16d2a3e69e60cbd16049948766d4

      Download Submit

    • C:\Windows\INF\qwinsta.exe
      Filesize

      30KB

      MD5

      3ed9ccc06af18ef822e1794feaec6183

      SHA1

      61bb46e5d659efe16e5c019eabca1aa1d5cd8f8f

      SHA256

      08ac265f1888731d6ff54d762fa08b06b172a9424b66ce113afcefef9759c37b

      SHA512

      c07f8fb0cb5fb1c6e81ab7495653373f6d8f6ac4ce49cc04a337155ee22c9987e950f2676be7b9bbda94a72b3621bf32e607fbdc96d85ed416820a16b7d003e6

      Download Submit

    • C:\Windows\Inf\qwinsta.exe
      Filesize

      30KB

      MD5

      3ed9ccc06af18ef822e1794feaec6183

      SHA1

      61bb46e5d659efe16e5c019eabca1aa1d5cd8f8f

      SHA256

      08ac265f1888731d6ff54d762fa08b06b172a9424b66ce113afcefef9759c37b

      SHA512

      c07f8fb0cb5fb1c6e81ab7495653373f6d8f6ac4ce49cc04a337155ee22c9987e950f2676be7b9bbda94a72b3621bf32e607fbdc96d85ed416820a16b7d003e6

      Download Submit

    • memory/632-24-0x000001C950BD0000-0x000001C950BD3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/632-67-0x000001C950C30000-0x000001C950C31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-29-0x000001C950C00000-0x000001C950C28000-memory.dmp

      Filesize

      160KB

      Download

    • memory/632-27-0x000001C950C30000-0x000001C950C31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2396-0-0x0000000000020000-0x0000000000125000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2396-36-0x0000000000020000-0x0000000000125000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2396-28-0x0000000000020000-0x0000000000125000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2820-71-0x0000011936F50000-0x0000011936F51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2820-73-0x0000011937520000-0x0000011937522000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2820-20-0x00000119366F0000-0x00000119366F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2820-22-0x00007FFC8AE60000-0x00007FFC8AE70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2820-18-0x00000119365E0000-0x00000119366AB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2820-17-0x0000011934BA0000-0x0000011934BA3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2820-79-0x0000011937520000-0x0000011937522000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2820-78-0x00000119376F0000-0x00000119378B5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2820-76-0x0000011936F70000-0x0000011936F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2820-75-0x0000011937640000-0x0000011937641000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2820-74-0x0000011937640000-0x0000011937641000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2820-21-0x00000119365E0000-0x00000119366AB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2820-63-0x00007FFC8AE60000-0x00007FFC8AE70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2820-72-0x00000119376F0000-0x00000119378B5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2820-65-0x00000119365E0000-0x00000119366AB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2820-66-0x00000119366F0000-0x00000119366F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2820-70-0x0000011936F50000-0x0000011936F51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2820-68-0x0000011936F50000-0x0000011936F51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2820-69-0x0000011936D40000-0x0000011936D41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3236-6-0x0000000002650000-0x0000000002653000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3236-4-0x0000000002650000-0x0000000002653000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3236-64-0x0000000008990000-0x0000000008A89000-memory.dmp

      Filesize

      996KB

      Download

    • memory/3236-62-0x0000000008140000-0x0000000008141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3236-43-0x0000000007D80000-0x0000000007DF9000-memory.dmp

      Filesize

      484KB

      Download

    • memory/3236-7-0x0000000007D80000-0x0000000007DF9000-memory.dmp

      Filesize

      484KB

      Download

    • memory/3236-14-0x0000000008140000-0x0000000008141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3236-5-0x0000000007D80000-0x0000000007DF9000-memory.dmp

      Filesize

      484KB

      Download

    • memory/3236-9-0x00000000026D0000-0x00000000026D3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3236-15-0x0000000008990000-0x0000000008A89000-memory.dmp

      Filesize

      996KB

      Download

    • memory/3236-3-0x0000000002650000-0x0000000002653000-memory.dmp

      Filesize

      12KB

      Download