Overview

overview

10

Static

static

7

43a1212d31...16.exe

windows7-x64

10

43a1212d31...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2023 02:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43a1212d319ae37016aaf8394c837f94beb72526a62e8d795ca8cfee4d828f16.exe

  • Size

    1.1MB

  • MD5

    0cecb3eea0d83075069406d702f85229

  • SHA1

    666854907487d98166ca89f91247b3678d526fa0

  • SHA256

    43a1212d319ae37016aaf8394c837f94beb72526a62e8d795ca8cfee4d828f16

  • SHA512

    81ddbcf324cb23778d7c6f6940776394e94cc09091579d65857fa3e7a6b6e8276c9d837c3aa76c0afcee403c17c72805086246d395ea6be3aa0101f5deb7840c

  • SSDEEP

    6144:Fl51orRJXlDixHkUXe34cEOkCybEaQRXr9HNdvOa51BgVWWStmyyye/:TqXUHkUXe3GOkx2LIazBg0tmyyyI

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 23 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
      • C:\ProgramData\cliconfg.exe
        "C:\ProgramData\cliconfg.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\43a1212d319ae37016aaf8394c837f94beb72526a62e8d795ca8cfee4d828f16.exe
        "C:\Users\Admin\AppData\Local\Temp\43a1212d319ae37016aaf8394c837f94beb72526a62e8d795ca8cfee4d828f16.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\43a1212d319ae37016aaf8394c837f94beb72526a62e8d795ca8cfee4d828f16.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2252
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2156
    • C:\Windows\Syswow64\31d0bc14
      C:\Windows\Syswow64\31d0bc14
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\31d0bc14"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:1956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\cliconfg.exe
      Filesize

      48KB

      MD5

      e0396c4edb81c6c766ca54798ca1162f

      SHA1

      e8a9f967ef477ec326ab539634bde50210ed4f45

      SHA256

      e5433615807161148b8ffbb8c2fb76cfd2125472c409df3b77e9731463954d01

      SHA512

      02008cf9d988f77ab2daf78a2c27f00586c43ad7f48e31205556205ffab8737b6b585b9c525b0c65a4c8d3281adc14b70ab987e198414b0ef44fe0b1c5270a0f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a189e071.tmp
      Filesize

      11.6MB

      MD5

      5244c87dbafa1f764b258766005dea73

      SHA1

      84cb8b4fb3e0910cfecfb31b6fa54c16d940e703

      SHA256

      077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40

      SHA512

      54d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438

      Download Submit

    • C:\Windows\SysWOW64\31d0bc14
      Filesize

      1.1MB

      MD5

      dd9905298819958f134cec85d65b21c5

      SHA1

      0d879ca52655cfa2ad44fb78ea19bdce120b40be

      SHA256

      72d1078c360586a2ec536c35e7d469b1930b511e523dea81b7cd59cf3ea6239e

      SHA512

      a1eb6ec158de8a928bee86032809374499ba7088dfe53ad4fb0b12874931a4c2a787383017cfbde3a6684afadb485d7d9e8621e7122bc4e13cb8d1548a55eb05

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Windows\Syswow64\31d0bc14
      Filesize

      1.1MB

      MD5

      dd9905298819958f134cec85d65b21c5

      SHA1

      0d879ca52655cfa2ad44fb78ea19bdce120b40be

      SHA256

      72d1078c360586a2ec536c35e7d469b1930b511e523dea81b7cd59cf3ea6239e

      SHA512

      a1eb6ec158de8a928bee86032809374499ba7088dfe53ad4fb0b12874931a4c2a787383017cfbde3a6684afadb485d7d9e8621e7122bc4e13cb8d1548a55eb05

      Download Submit

    • \ProgramData\cliconfg.exe
      Filesize

      48KB

      MD5

      e0396c4edb81c6c766ca54798ca1162f

      SHA1

      e8a9f967ef477ec326ab539634bde50210ed4f45

      SHA256

      e5433615807161148b8ffbb8c2fb76cfd2125472c409df3b77e9731463954d01

      SHA512

      02008cf9d988f77ab2daf78a2c27f00586c43ad7f48e31205556205ffab8737b6b585b9c525b0c65a4c8d3281adc14b70ab987e198414b0ef44fe0b1c5270a0f

      Download Submit

    • memory/424-49-0x0000000000910000-0x0000000000938000-memory.dmp

      Filesize

      160KB

      Download

    • memory/424-51-0x0000000000910000-0x0000000000938000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1204-27-0x0000000006B00000-0x0000000006BF9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1204-25-0x0000000006B00000-0x0000000006BF9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1204-21-0x0000000002B20000-0x0000000002B23000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1204-109-0x0000000006B00000-0x0000000006BF9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1204-24-0x0000000002B20000-0x0000000002B23000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1204-23-0x0000000002B20000-0x0000000002B23000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1204-80-0x0000000006B00000-0x0000000006BF9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1680-42-0x00000000012D0000-0x0000000001359000-memory.dmp

      Filesize

      548KB

      Download

    • memory/1680-3-0x00000000012D0000-0x0000000001359000-memory.dmp

      Filesize

      548KB

      Download

    • memory/1680-106-0x00000000012D0000-0x0000000001359000-memory.dmp

      Filesize

      548KB

      Download

    • memory/1680-66-0x00000000012D0000-0x0000000001359000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2232-26-0x0000000000FA0000-0x0000000001029000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2232-0-0x0000000000FA0000-0x0000000001029000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2232-52-0x0000000000FA0000-0x0000000001029000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2756-110-0x0000000000910000-0x0000000000938000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2756-112-0x00000000002A0000-0x000000000036B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2756-47-0x00000000002A0000-0x000000000036B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2756-107-0x0000000037010000-0x0000000037020000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2756-46-0x000007FEBD730000-0x000007FEBD740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2756-33-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2756-31-0x0000000000060000-0x0000000000123000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2756-38-0x0000000000160000-0x0000000000163000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2756-113-0x0000000002000000-0x0000000002001000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2756-114-0x0000000002000000-0x0000000002001000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2756-115-0x0000000004500000-0x00000000046C5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2756-116-0x0000000002000000-0x0000000002001000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2756-117-0x0000000004500000-0x00000000046C5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2756-118-0x0000000002000000-0x0000000002001000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2756-119-0x0000000004500000-0x00000000046C5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2756-45-0x00000000002A0000-0x000000000036B000-memory.dmp

      Filesize

      812KB

      Download