Overview

overview

10

Static

static

7

5255876df0...1b.exe

windows7-x64

10

5255876df0...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2023, 08:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5255876df0e3edd6dbd5e20b3a4197e452d6e9c7ef6832a64c192931e5b5731b.exe

  • Size

    271KB

  • MD5

    b573831955c382dd5bd7952fb163e7e6

  • SHA1

    a1ef9d631be063cfcd5cd155bddb8e8b25e05d91

  • SHA256

    5255876df0e3edd6dbd5e20b3a4197e452d6e9c7ef6832a64c192931e5b5731b

  • SHA512

    493ded2a4e1861aebe6f05f89b83f034bbd9727867de9b0063e1be2ee5635dd9664583f1d65cd388bcbdddcc272a716fb8f2adf66ecbf9f5bfde9c7cb4455d44

  • SSDEEP

    6144:Ll51orRJXlDixHkUXe34cEOkCybEaQRXr9HNdvOa:NqXUHkUXe3GOkx2LIa

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 21 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\5255876df0e3edd6dbd5e20b3a4197e452d6e9c7ef6832a64c192931e5b5731b.exe
      "C:\Users\Admin\AppData\Local\Temp\5255876df0e3edd6dbd5e20b3a4197e452d6e9c7ef6832a64c192931e5b5731b.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\5255876df0e3edd6dbd5e20b3a4197e452d6e9c7ef6832a64c192931e5b5731b.exe"
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          4⤵
          • Delays execution with timeout.exe
          PID:856
  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
      • C:\Windows\SndVol.exe
        "C:\Windows\SndVol.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
    • C:\Windows\Syswow64\15bd5e46
      C:\Windows\Syswow64\15bd5e46
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\15bd5e46"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:1856

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SndVol.exe
            Filesize

            267KB

            MD5

            c3489639ec8e181044f6c6bfd3d01ac9

            SHA1

            e057c90b675a6da19596b0ac458c25d7440b7869

            SHA256

            a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

            SHA512

            63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

            Download Submit

          • C:\Windows\SysWOW64\15bd5e46
            Filesize

            271KB

            MD5

            730473b4b675f8f53a5d08f164a3a44e

            SHA1

            c0a37e7b8303445bd42148dd786c78df992771c6

            SHA256

            965245c7a0822383d2dddc3f1d007afeb530a97d5ac0b1e5ed97f76d2d816be0

            SHA512

            241ab5722b9ba93d9d9e0275122c7496c861d364c79439c1236ecb3d182ddd64f12f5921c0d9147fce9cc54f174dc7f803e6057a00f6754f2c70b98f76b01a54

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            61KB

            MD5

            f3441b8572aae8801c04f3060b550443

            SHA1

            4ef0a35436125d6821831ef36c28ffaf196cda15

            SHA256

            6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

            SHA512

            5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

            Download Submit

          • C:\Windows\Syswow64\15bd5e46
            Filesize

            271KB

            MD5

            730473b4b675f8f53a5d08f164a3a44e

            SHA1

            c0a37e7b8303445bd42148dd786c78df992771c6

            SHA256

            965245c7a0822383d2dddc3f1d007afeb530a97d5ac0b1e5ed97f76d2d816be0

            SHA512

            241ab5722b9ba93d9d9e0275122c7496c861d364c79439c1236ecb3d182ddd64f12f5921c0d9147fce9cc54f174dc7f803e6057a00f6754f2c70b98f76b01a54

            Download Submit

          • memory/420-51-0x00000000007F0000-0x0000000000818000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1192-21-0x00000000039D0000-0x00000000039D3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1192-23-0x00000000039D0000-0x00000000039D3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1192-25-0x00000000039D0000-0x00000000039D3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1192-26-0x0000000006C20000-0x0000000006D19000-memory.dmp

            Filesize

            996KB

            Download

          • memory/1192-67-0x0000000006C20000-0x0000000006D19000-memory.dmp

            Filesize

            996KB

            Download

          • memory/2664-108-0x00000000007F0000-0x0000000000818000-memory.dmp

            Filesize

            160KB

            Download

          • memory/2664-31-0x0000000000130000-0x0000000000131000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2664-43-0x0000000000550000-0x000000000061B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2664-119-0x00000000043E0000-0x00000000045A5000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2664-47-0x0000000000550000-0x000000000061B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2664-46-0x000007FEBF2C0000-0x000007FEBF2D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2664-44-0x0000000000550000-0x000000000061B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2664-118-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2664-41-0x0000000000160000-0x0000000000163000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2664-117-0x0000000001F90000-0x0000000001F91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2664-37-0x0000000000160000-0x0000000000163000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2664-113-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2664-29-0x0000000000060000-0x0000000000123000-memory.dmp

            Filesize

            780KB

            Download

          • memory/2664-116-0x00000000043E0000-0x00000000045A5000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2664-82-0x0000000000550000-0x000000000061B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2664-115-0x00000000043E0000-0x00000000045A5000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2664-106-0x0000000037B90000-0x0000000037BA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2664-114-0x00000000043E0000-0x00000000045A5000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2664-109-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2664-110-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2664-111-0x00000000007F0000-0x0000000000818000-memory.dmp

            Filesize

            160KB

            Download

          • memory/2664-112-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2780-52-0x00000000010C0000-0x0000000001149000-memory.dmp

            Filesize

            548KB

            Download

          • memory/2780-0-0x00000000010C0000-0x0000000001149000-memory.dmp

            Filesize

            548KB

            Download

          • memory/2780-45-0x00000000010C0000-0x0000000001149000-memory.dmp

            Filesize

            548KB

            Download

          • memory/2984-3-0x0000000000DF0000-0x0000000000E79000-memory.dmp

            Filesize

            548KB

            Download

          • memory/2984-81-0x0000000000DF0000-0x0000000000E79000-memory.dmp

            Filesize

            548KB

            Download

          • memory/2984-54-0x0000000000DF0000-0x0000000000E79000-memory.dmp

            Filesize

            548KB

            Download

          • memory/2984-48-0x0000000000DF0000-0x0000000000E79000-memory.dmp

            Filesize

            548KB

            Download