Overview

overview

10

Static

static

7

1987b42bfe...7b.exe

windows7-x64

10

1987b42bfe...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2023 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe

  • Size

    271KB

  • MD5

    eb6c2b720bf1204827e513af9b93fc04

  • SHA1

    da49da66e4d4ce6a9c656f821eaed25ad599f772

  • SHA256

    1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b

  • SHA512

    e8e1723052346d31abb701b87b8deedb002fe42bc899d99efd040f13ee6e4b2516ee6f193ae7bb130280bf18ac959a29073245024256d87562aaa14ef5b5d649

  • SSDEEP

    6144:/l51orRJXlDixHkUXe34cEOkCybEaQRXr9HNdvOa:xqXUHkUXe3GOkx2LIa

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 23 IoCs
  • Drops file in Windows directory 4 IoCs
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
      • C:\Windows\Inf\ddodiag.exe
        "C:\Windows\Inf\ddodiag.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2604
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe
        "C:\Users\Admin\AppData\Local\Temp\1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2576
    • C:\Windows\Syswow64\9bba52d7
      C:\Windows\Syswow64\9bba52d7
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\9bba52d7"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\a184c126.tmp
      Filesize

      11.6MB

      MD5

      5244c87dbafa1f764b258766005dea73

      SHA1

      84cb8b4fb3e0910cfecfb31b6fa54c16d940e703

      SHA256

      077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40

      SHA512

      54d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438

      Download Submit

    • C:\Windows\SysWOW64\9bba52d7
      Filesize

      271KB

      MD5

      13f830acd706212f92c77b5e27e605f4

      SHA1

      d9a26e74062c1f5eb594a2d958cb3ffd94b27c4c

      SHA256

      4b27b2009a9c4c0e1a565f3a9e32b21d52c1a771e06a6b6bbc5ca4e37f1d6d95

      SHA512

      8003fb3b022db89e616b052704beca1273bad784cee24f637665db1df0ca028d874e3c89d450449449f190c614e9a93b2f8f31d320a93c7d4accd8d70f2ade97

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Windows\Syswow64\9bba52d7
      Filesize

      271KB

      MD5

      13f830acd706212f92c77b5e27e605f4

      SHA1

      d9a26e74062c1f5eb594a2d958cb3ffd94b27c4c

      SHA256

      4b27b2009a9c4c0e1a565f3a9e32b21d52c1a771e06a6b6bbc5ca4e37f1d6d95

      SHA512

      8003fb3b022db89e616b052704beca1273bad784cee24f637665db1df0ca028d874e3c89d450449449f190c614e9a93b2f8f31d320a93c7d4accd8d70f2ade97

      Download Submit

    • C:\Windows\inf\ddodiag.exe
      Filesize

      42KB

      MD5

      509f9513ca16ba2f2047f5227a05d1a8

      SHA1

      fe8d63259cb9afa17da7b7b8ede4e75081071b1a

      SHA256

      ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

      SHA512

      ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

      Download Submit

    • \Windows\inf\ddodiag.exe
      Filesize

      42KB

      MD5

      509f9513ca16ba2f2047f5227a05d1a8

      SHA1

      fe8d63259cb9afa17da7b7b8ede4e75081071b1a

      SHA256

      ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

      SHA512

      ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

      Download Submit

    • memory/420-52-0x0000000000880000-0x00000000008A8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/420-49-0x0000000000450000-0x0000000000453000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1260-27-0x0000000007AB0000-0x0000000007BA9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1260-24-0x0000000002A40000-0x0000000002A43000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1260-25-0x0000000007AB0000-0x0000000007BA9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1260-109-0x0000000007AB0000-0x0000000007BA9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1260-23-0x0000000002A40000-0x0000000002A43000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1260-99-0x0000000007AB0000-0x0000000007BA9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1260-21-0x0000000002A40000-0x0000000002A43000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2232-103-0x00000000012A0000-0x0000000001329000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2232-42-0x00000000012A0000-0x0000000001329000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2232-60-0x00000000012A0000-0x0000000001329000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2232-3-0x00000000012A0000-0x0000000001329000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2604-31-0x0000000000060000-0x0000000000123000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2604-113-0x0000000000450000-0x000000000051B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2604-47-0x000007FEBE140000-0x000007FEBE150000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2604-46-0x0000000000450000-0x000000000051B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2604-43-0x0000000000450000-0x000000000051B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2604-38-0x0000000000160000-0x0000000000163000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2604-107-0x0000000037B40000-0x0000000037B50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2604-110-0x0000000000880000-0x00000000008A8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2604-33-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2604-129-0x0000000004580000-0x0000000004745000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2604-112-0x0000000000450000-0x000000000051B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2604-122-0x0000000004580000-0x0000000004745000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2604-114-0x0000000001F70000-0x0000000001F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2604-115-0x0000000001F70000-0x0000000001F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2604-116-0x0000000001F70000-0x0000000001F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2604-117-0x0000000004580000-0x0000000004745000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2604-118-0x0000000004580000-0x0000000004745000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2604-119-0x0000000001F70000-0x0000000001F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2604-120-0x0000000004580000-0x0000000004745000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2604-121-0x0000000001F80000-0x0000000001F81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2980-51-0x0000000000B30000-0x0000000000BB9000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2980-26-0x0000000000B30000-0x0000000000BB9000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2980-0-0x0000000000B30000-0x0000000000BB9000-memory.dmp

      Filesize

      548KB

      Download