Overview

overview

8

Static

static

7

e389f96e83...c0.exe

windows7-x64

8

e389f96e83...c0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2023, 14:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e389f96e832e6e32c38a5e03563384449a3fa68303c075ba47e32d3ab3bb0bc0.exe

  • Size

    2.6MB

  • MD5

    2dbddc17544026752e92608a92fe2f9e

  • SHA1

    16816d1b64420552abfceb71481435f580ebebb6

  • SHA256

    e389f96e832e6e32c38a5e03563384449a3fa68303c075ba47e32d3ab3bb0bc0

  • SHA512

    76b397357715fe42f6dce742b31e3638d0b0bcca191bd9baaff74a6e1c590cbe33870ee3f5a3755dadc2e7e3e9e17bb68e9862df4d49afde63e8302e556d439f

  • SSDEEP

    49152:qTGkQy5QZuTtS0rQMYOQ+q8CE0TG4QnTGHQc9KFeMv:qKkVWsM0r1QnDK4uKHT0Feu

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\e389f96e832e6e32c38a5e03563384449a3fa68303c075ba47e32d3ab3bb0bc0.exe
        "C:\Users\Admin\AppData\Local\Temp\e389f96e832e6e32c38a5e03563384449a3fa68303c075ba47e32d3ab3bb0bc0.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\e389f96e832e6e32c38a5e03563384449a3fa68303c075ba47e32d3ab3bb0bc0.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1244
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:832
      • C:\ProgramData\Microsoft\msdtc.exe
        "C:\ProgramData\Microsoft\msdtc.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
    • C:\Windows\Syswow64\b49580f0
      C:\Windows\Syswow64\b49580f0
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\b49580f0"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:2104

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\msdtc.exe
            Filesize

            138KB

            MD5

            de0ece52236cfa3ed2dbfc03f28253a8

            SHA1

            84bbd2495c1809fcd19b535d41114e4fb101466c

            SHA256

            2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

            SHA512

            69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Tar40F7.tmp
            Filesize

            163KB

            MD5

            9441737383d21192400eca82fda910ec

            SHA1

            725e0d606a4fc9ba44aa8ffde65bed15e65367e4

            SHA256

            bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

            SHA512

            7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

            Download Submit

          • C:\Windows\SysWOW64\b49580f0
            Filesize

            2.6MB

            MD5

            1779c984848414f0d66932196e1c3e7f

            SHA1

            896fa413395274a0bf703e745342327da9ca8a66

            SHA256

            4f3c7280c441b0b727f292e98a4cfdaa54e498003e9665c66433c3d1ca3164b5

            SHA512

            9ef80ddcdbabf20ff3ef9c085a91cfc673df6432ac0c209f973b56a4ee89d80558fc6a7f64f26b5b5b05c602549a5cf3bd436e3af29fb9f032d4809d22579647

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            61KB

            MD5

            f3441b8572aae8801c04f3060b550443

            SHA1

            4ef0a35436125d6821831ef36c28ffaf196cda15

            SHA256

            6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

            SHA512

            5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

            Download Submit

          • C:\Windows\Syswow64\b49580f0
            Filesize

            2.6MB

            MD5

            1779c984848414f0d66932196e1c3e7f

            SHA1

            896fa413395274a0bf703e745342327da9ca8a66

            SHA256

            4f3c7280c441b0b727f292e98a4cfdaa54e498003e9665c66433c3d1ca3164b5

            SHA512

            9ef80ddcdbabf20ff3ef9c085a91cfc673df6432ac0c209f973b56a4ee89d80558fc6a7f64f26b5b5b05c602549a5cf3bd436e3af29fb9f032d4809d22579647

            Download Submit

          • \ProgramData\Microsoft\msdtc.exe
            Filesize

            138KB

            MD5

            de0ece52236cfa3ed2dbfc03f28253a8

            SHA1

            84bbd2495c1809fcd19b535d41114e4fb101466c

            SHA256

            2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

            SHA512

            69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

            Download Submit

          • memory/420-72-0x0000000000770000-0x0000000000798000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1208-144-0x00000000097A0000-0x0000000009840000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1208-133-0x0000000000770000-0x0000000000798000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1208-186-0x00000000097A0000-0x0000000009840000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1208-26-0x0000000006490000-0x0000000006587000-memory.dmp

            Filesize

            988KB

            Download

          • memory/1208-170-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-168-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-166-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-24-0x0000000002E90000-0x0000000002E93000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1208-164-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-162-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-160-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-152-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-154-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-156-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-68-0x0000000007460000-0x000000000752B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/1208-69-0x000007FEBEF80000-0x000007FEBEF90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1208-70-0x0000000007460000-0x000000000752B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/1208-158-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-71-0x0000000003B90000-0x0000000003B91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-150-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-76-0x0000000006490000-0x0000000006587000-memory.dmp

            Filesize

            988KB

            Download

          • memory/1208-23-0x0000000002E90000-0x0000000002E93000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1208-148-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-21-0x0000000002E90000-0x0000000002E93000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1208-106-0x0000000007460000-0x000000000752B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/1208-145-0x0000000003D00000-0x0000000003D01000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-131-0x0000000037530000-0x0000000037540000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1208-27-0x0000000006490000-0x0000000006587000-memory.dmp

            Filesize

            988KB

            Download

          • memory/1208-134-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-135-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-136-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-137-0x0000000003CF0000-0x0000000003CFF000-memory.dmp

            Filesize

            60KB

            Download

          • memory/1208-138-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-139-0x00000000097A0000-0x0000000009840000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1208-140-0x00000000097A0000-0x0000000009840000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1208-141-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-142-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1208-143-0x0000000003CF0000-0x0000000003CFF000-memory.dmp

            Filesize

            60KB

            Download

          • memory/1732-74-0x00000000003A0000-0x0000000000429000-memory.dmp

            Filesize

            548KB

            Download

          • memory/1732-0-0x00000000003A0000-0x0000000000429000-memory.dmp

            Filesize

            548KB

            Download

          • memory/1732-25-0x00000000003A0000-0x0000000000429000-memory.dmp

            Filesize

            548KB

            Download

          • memory/2548-54-0x00000000037B0000-0x000000000387B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2548-47-0x0000000000380000-0x0000000000400000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2548-48-0x000007FEBEF80000-0x000007FEBEF90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2548-43-0x0000000000090000-0x0000000000093000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2548-45-0x00000000037B0000-0x000000000387B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2548-39-0x0000000000090000-0x0000000000093000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2548-33-0x0000000000060000-0x0000000000061000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2548-32-0x0000000000120000-0x00000000001E3000-memory.dmp

            Filesize

            780KB

            Download

          • memory/3000-104-0x0000000001250000-0x00000000012D9000-memory.dmp

            Filesize

            548KB

            Download

          • memory/3000-55-0x0000000001250000-0x00000000012D9000-memory.dmp

            Filesize

            548KB

            Download

          • memory/3000-3-0x0000000001250000-0x00000000012D9000-memory.dmp

            Filesize

            548KB

            Download

          • memory/3000-28-0x0000000001250000-0x00000000012D9000-memory.dmp

            Filesize

            548KB

            Download