Overview

overview

8

Static

static

3

7068040c6a...68.exe

windows7-x64

8

7068040c6a...68.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/09/2023, 11:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7068040c6a22a5a849f872d0ffe7d049c97c263054dec4f787aee4ddc1774568.exe

  • Size

    5.7MB

  • MD5

    16ed4557be860be717f072793b7720eb

  • SHA1

    69aadeb7616f2e57dc8a6719e7216a0bcf342692

  • SHA256

    7068040c6a22a5a849f872d0ffe7d049c97c263054dec4f787aee4ddc1774568

  • SHA512

    15089ed8f1b626f214e5709926831be3db8fc46bc9d3e4a6aa5773a10adb80aefe0cc14c22fa0565082d1098d1840e821c7a2540f63d28190d5fc56fb69cd6c7

  • SSDEEP

    98304:ngMB/J1S7RvAMk1x1vG3CLNGa6+nWoi44k5dT+OLrhqXM:ngMH16vxk1x1u3Cvio9Lr0XM

Score
8/10
upx

Malware Config

Signatures

  • Modifies RDP port number used by Windows 1 TTPs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7068040c6a22a5a849f872d0ffe7d049c97c263054dec4f787aee4ddc1774568.exe
    "C:\Users\Admin\AppData\Local\Temp\7068040c6a22a5a849f872d0ffe7d049c97c263054dec4f787aee4ddc1774568.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Public\Downloads\DOEw50s7\utD3cKWQ.exe
      "C:\Users\Public\Downloads\DOEw50s7\utD3cKWQ.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo.>c:\xxxx.ini
        3⤵
          PID:4304

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG
      Filesize

      6KB

      MD5

      e39405e85e09f64ccde0f59392317dd3

      SHA1

      9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

      SHA256

      cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

      SHA512

      6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG
      Filesize

      36KB

      MD5

      f6bf82a293b69aa5b47d4e2de305d45a

      SHA1

      4948716616d4bbe68be2b4c5bf95350402d3f96f

      SHA256

      6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

      SHA512

      edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

      Download Submit

    • C:\Users\Public\Downloads\DOEw50s7\Edge.jpg
      Filesize

      358KB

      MD5

      7026cb74463e16bb2f694875d8f87e1b

      SHA1

      4b4ababbece640527c0e779808e7d909ad8e1c1e

      SHA256

      782196ab04b8ed15c6b124cc6f416197f0231cff55ae6ce752d3ffddc5e20410

      SHA512

      e0b27f95f94b37863b80e4fee04f0ea09be01425b92eea15762676c689d889b479488a8f6a631e890bc305461e81ab6bb1586775f5d59bd4c04a18a0d22322bd

      Download Submit

    • C:\Users\Public\Downloads\DOEw50s7\edge.xml
      Filesize

      53KB

      MD5

      01b616a54a0c728e24efd824e10ef2b2

      SHA1

      406bfab441f36a9cfe44dfea872ff1bb5810d573

      SHA256

      368588de843eefeb3ba75bffc864c74bea17977eacd0231ec2a7547b6bfb1caa

      SHA512

      3f58e4f15f56585a23411fdda11b8dd30e82835f1b2aedb74ccf443ab9d7b33a45282c2bbc0d470da231536fd6ddab20b02b62ab11098fc068caad27a217c480

      Download Submit

    • C:\Users\Public\Downloads\DOEw50s7\utD3cKWQ.dat
      Filesize

      132KB

      MD5

      d4c2959bd4d7dd0a8e3c5598a94c9b2e

      SHA1

      751daf65234df08f9cd8948606162a1781f98b98

      SHA256

      667ae5085176519f2b2d988a02c0fa55e5dc59f4e8ee64bb3708139a22013302

      SHA512

      837eed9eaf40bbbde59c61bd8cb76033e1888da53945db4a959938f8f73064fc380ad522695ab87dda9b8ddcad89530be6acd0024be2bb6f0289b9989a2997e3

      Download Submit

    • C:\Users\Public\Downloads\DOEw50s7\utD3cKWQ.exe
      Filesize

      529KB

      MD5

      49d595ab380b7c7a4cd6916eeb4dfe6f

      SHA1

      b84649fce92cc0e7a4d25599cc15ffaf312edc0b

      SHA256

      207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

      SHA512

      d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

      Download Submit

    • memory/4080-6-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4080-28-0x0000000003430000-0x0000000003431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4080-31-0x0000000003780000-0x0000000003792000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4080-33-0x0000000010000000-0x0000000010061000-memory.dmp

      Filesize

      388KB

      Download

    • memory/4080-45-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download