Overview

overview

10

Static

static

7

413d0b22a1...82.exe

windows7-x64

10

413d0b22a1...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    07/10/2023, 07:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    413d0b22a11c0b64927a06602585a2a71b7b608db8b77d2acb227d96b5847e82.exe

  • Size

    271KB

  • MD5

    1a745c946198f16fdcf3c902de26341b

  • SHA1

    b8ac4346dc294cdb8defdfdcd8169a8308f614c6

  • SHA256

    413d0b22a11c0b64927a06602585a2a71b7b608db8b77d2acb227d96b5847e82

  • SHA512

    9bb81b59b63fbfc788f0df2cf3c3e56a92ef6bc714c4a12ce162d4eccd0c40307a75286338b1ad10b66a27d3563c53ca01a3a58572110e9c496fb06a780abf14

  • SSDEEP

    6144:yl51orRJXlDixHkUXe34cEOkCybEaQRXr9HNdvOa:KqXUHkUXe3GOkx2LIa

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 23 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
      • C:\Windows\Fonts\makecab.exe
        "C:\Windows\Fonts\makecab.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2544
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Users\Admin\AppData\Local\Temp\413d0b22a11c0b64927a06602585a2a71b7b608db8b77d2acb227d96b5847e82.exe
        "C:\Users\Admin\AppData\Local\Temp\413d0b22a11c0b64927a06602585a2a71b7b608db8b77d2acb227d96b5847e82.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\413d0b22a11c0b64927a06602585a2a71b7b608db8b77d2acb227d96b5847e82.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1808
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2852
    • C:\Windows\Syswow64\7d14faaa
      C:\Windows\Syswow64\7d14faaa
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\7d14faaa"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:1564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\a1887b6e.tmp
      Filesize

      11.6MB

      MD5

      5244c87dbafa1f764b258766005dea73

      SHA1

      84cb8b4fb3e0910cfecfb31b6fa54c16d940e703

      SHA256

      077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40

      SHA512

      54d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438

      Download Submit

    • C:\Windows\Fonts\makecab.exe
      Filesize

      114KB

      MD5

      387f2728bfcf50066f7f3219197918eb

      SHA1

      239280f9b1b3bc8d443a08f02fe255d44a9a1311

      SHA256

      12d1e818c64d02f48c0a8a1094390329b8a65248e53e43d21ccf94e9a9701556

      SHA512

      02998cab0fe25aa35b9f9372c73e4a6ccd6ac6a5e9ecaab85b15bc72991cd4173331f387974b1805d38f5d78205ff5b9b2c5c64aa66ace04558641ee08ffe79b

      Download Submit

    • C:\Windows\Fonts\makecab.exe
      Filesize

      114KB

      MD5

      387f2728bfcf50066f7f3219197918eb

      SHA1

      239280f9b1b3bc8d443a08f02fe255d44a9a1311

      SHA256

      12d1e818c64d02f48c0a8a1094390329b8a65248e53e43d21ccf94e9a9701556

      SHA512

      02998cab0fe25aa35b9f9372c73e4a6ccd6ac6a5e9ecaab85b15bc72991cd4173331f387974b1805d38f5d78205ff5b9b2c5c64aa66ace04558641ee08ffe79b

      Download Submit

    • C:\Windows\SysWOW64\7d14faaa
      Filesize

      271KB

      MD5

      e2eca37e3ae117a887d7956dbfca26ec

      SHA1

      5a16775a1f02253fb37a80ac10baf3a7789e62e7

      SHA256

      e2f157cf0a8970ace1c210be743b9c10f94982baa2551bd165c93052c881e50c

      SHA512

      3dfe68762c4a1edda6f554099866c4a1b3571cad476c3284c7923e4f063ff33ce0b36cfdd988956917c577e4c2d5558b68b3491eae238035430dc815d04010d5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Windows\Syswow64\7d14faaa
      Filesize

      271KB

      MD5

      e2eca37e3ae117a887d7956dbfca26ec

      SHA1

      5a16775a1f02253fb37a80ac10baf3a7789e62e7

      SHA256

      e2f157cf0a8970ace1c210be743b9c10f94982baa2551bd165c93052c881e50c

      SHA512

      3dfe68762c4a1edda6f554099866c4a1b3571cad476c3284c7923e4f063ff33ce0b36cfdd988956917c577e4c2d5558b68b3491eae238035430dc815d04010d5

      Download Submit

    • \Windows\Fonts\makecab.exe
      Filesize

      114KB

      MD5

      387f2728bfcf50066f7f3219197918eb

      SHA1

      239280f9b1b3bc8d443a08f02fe255d44a9a1311

      SHA256

      12d1e818c64d02f48c0a8a1094390329b8a65248e53e43d21ccf94e9a9701556

      SHA512

      02998cab0fe25aa35b9f9372c73e4a6ccd6ac6a5e9ecaab85b15bc72991cd4173331f387974b1805d38f5d78205ff5b9b2c5c64aa66ace04558641ee08ffe79b

      Download Submit

    • memory/424-48-0x00000000007E0000-0x00000000007E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/424-51-0x0000000000890000-0x00000000008B8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/424-49-0x0000000000890000-0x00000000008B8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1264-26-0x0000000008820000-0x0000000008919000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1264-24-0x0000000002A40000-0x0000000002A43000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1264-25-0x0000000008820000-0x0000000008919000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1264-23-0x0000000002A40000-0x0000000002A43000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1264-21-0x0000000002A40000-0x0000000002A43000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1264-67-0x0000000008820000-0x0000000008919000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2544-32-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2544-116-0x0000000004530000-0x00000000046F5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2544-46-0x0000000000320000-0x00000000003EB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2544-44-0x000007FEBE5E0000-0x000007FEBE5F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2544-121-0x0000000000650000-0x0000000000651000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2544-36-0x0000000000160000-0x0000000000163000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2544-43-0x0000000000320000-0x00000000003EB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2544-119-0x0000000004530000-0x00000000046F5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2544-117-0x0000000000630000-0x0000000000631000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2544-30-0x0000000000060000-0x0000000000123000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2544-118-0x0000000000650000-0x0000000000651000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2544-41-0x0000000000320000-0x00000000003EB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2544-99-0x0000000000320000-0x00000000003EB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2544-103-0x0000000000320000-0x00000000003EB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2544-110-0x0000000037580000-0x0000000037590000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2544-112-0x0000000000890000-0x00000000008B8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2544-113-0x0000000000630000-0x0000000000631000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2544-114-0x0000000000630000-0x0000000000631000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2544-115-0x0000000004530000-0x00000000046F5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3040-0-0x0000000000CB0000-0x0000000000D39000-memory.dmp

      Filesize

      548KB

      Download

    • memory/3040-40-0x0000000000CB0000-0x0000000000D39000-memory.dmp

      Filesize

      548KB

      Download

    • memory/3040-52-0x0000000000CB0000-0x0000000000D39000-memory.dmp

      Filesize

      548KB

      Download

    • memory/3068-84-0x0000000001150000-0x00000000011D9000-memory.dmp

      Filesize

      548KB

      Download

    • memory/3068-54-0x0000000001150000-0x00000000011D9000-memory.dmp

      Filesize

      548KB

      Download

    • memory/3068-45-0x0000000001150000-0x00000000011D9000-memory.dmp

      Filesize

      548KB

      Download

    • memory/3068-3-0x0000000001150000-0x00000000011D9000-memory.dmp

      Filesize

      548KB

      Download