Overview

overview

8

Static

static

7

95d338b145...4a.exe

windows7-x64

8

95d338b145...4a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2023, 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe

  • Size

    2.7MB

  • MD5

    40420292a6806912eca11bd33bbd6e41

  • SHA1

    d9f970de792fb4e724d34b4b335dc81ed8e71d23

  • SHA256

    95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a

  • SHA512

    5c8a4227a7e9b40c837e7a96368cfaecc0d81acedce9ce0f4a7f53f2a89af53d6b95ecb439f12c85e6cbbb3ea7af0fc239d6144b2852e0cb7f8ed31ccd6a6a97

  • SSDEEP

    49152:ITGkQU5QZuTtS0rQMYOQ+q8CEGTG4QoTGHQV9KFeMz:IKkDWsM0r1QnJK4ZKHq0FeS

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 16 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3104
    • C:\Users\Admin\AppData\Local\Temp\95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe
      "C:\Users\Admin\AppData\Local\Temp\95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe"
      2⤵
      • Checks computer location settings
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4648
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          4⤵
          • Delays execution with timeout.exe
          PID:1424
    • C:\ProgramData\mcbuilder.exe
      "C:\ProgramData\mcbuilder.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3648
  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
    • C:\Windows\Syswow64\777525d6
      C:\Windows\Syswow64\777525d6
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\777525d6"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4112
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\mcbuilder.exe
      Filesize

      92KB

      MD5

      9ee06f45cf8d8154fa53bc0b0397e2d2

      SHA1

      2cd73f065f259027610bf59b4dd6448e90c5104a

      SHA256

      b139d09d95e5a1de02a00324054fd3db7d7e874e881c2420441f2576496f8695

      SHA512

      49666ef990d4a31b268fa7c7de8ac12cf0f8f00199fe982eecb92b190a55b8c0f33f1c6f806a1dbc8f167c5e5877a0c7adf2143006eb4c83cfdf71758f7e1820

      Download Submit

    • C:\Windows\SysWOW64\777525d6
      Filesize

      2.7MB

      MD5

      9afc95d7b9205c2a0c00242a69bd533f

      SHA1

      2a1dfeed62cb96106950c766baa97c05f12fcc60

      SHA256

      f4c559e35f86206ac1aca031cef75b19039fb671422e0aad17bdd3c3f287ab53

      SHA512

      8def0b9e4bc2da148a9765cbaa2d1426fab1ed45c96232f08c920ae07c650697bb06ccb834560cde48ebc306abb303f1a5c57c324ab4d124fd04609c1c00d21b

      Download Submit

    • C:\Windows\SysWOW64\777525d6
      Filesize

      2.7MB

      MD5

      9afc95d7b9205c2a0c00242a69bd533f

      SHA1

      2a1dfeed62cb96106950c766baa97c05f12fcc60

      SHA256

      f4c559e35f86206ac1aca031cef75b19039fb671422e0aad17bdd3c3f287ab53

      SHA512

      8def0b9e4bc2da148a9765cbaa2d1426fab1ed45c96232f08c920ae07c650697bb06ccb834560cde48ebc306abb303f1a5c57c324ab4d124fd04609c1c00d21b

      Download Submit

    • memory/616-73-0x000001D74A530000-0x000001D74A531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/616-27-0x000001D74A4E0000-0x000001D74A4E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/616-31-0x000001D74A4F0000-0x000001D74A518000-memory.dmp

      Filesize

      160KB

      Download

    • memory/616-29-0x000001D74A530000-0x000001D74A531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3104-10-0x00000000030F0000-0x00000000030F3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3104-13-0x00000000030F0000-0x00000000030F3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3104-14-0x0000000003110000-0x0000000003111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3104-12-0x00000000030F0000-0x00000000030F3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3104-15-0x0000000008FD0000-0x00000000090C7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/3104-68-0x0000000008FD0000-0x00000000090C7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/3104-63-0x0000000003110000-0x0000000003111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-21-0x000001DB78EC0000-0x000001DB78F8B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/3648-71-0x000001DB7A780000-0x000001DB7A781000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-25-0x00007FF8931B0000-0x00007FF8931C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3648-89-0x000001DB7A880000-0x000001DB7A881000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-22-0x000001DB78EC0000-0x000001DB78F8B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/3648-88-0x000001DB7A8C0000-0x000001DB7A8C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-87-0x000001DB7A8C0000-0x000001DB7A8C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-62-0x00007FF8931B0000-0x00007FF8931C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3648-86-0x000001DB7A8C0000-0x000001DB7A8C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-64-0x000001DB7A890000-0x000001DB7A892000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3648-20-0x000001DB78C30000-0x000001DB78C33000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3648-69-0x000001DB78EC0000-0x000001DB78F8B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/3648-85-0x000001DB7A8C0000-0x000001DB7A8C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-84-0x000001DB7A8D0000-0x000001DB7A8D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-70-0x000001DB7A8A0000-0x000001DB7A8A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-24-0x000001DB7A780000-0x000001DB7A781000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-74-0x000001DB7A8B0000-0x000001DB7A8BF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/3648-75-0x000001DB7A8B0000-0x000001DB7A8B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-76-0x000001DB7B0E0000-0x000001DB7B180000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3648-77-0x000001DB7A8A0000-0x000001DB7A8A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3648-78-0x000001DB7A8A0000-0x000001DB7A8A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-79-0x000001DB7A8C0000-0x000001DB7A8C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-80-0x000001DB7A8A0000-0x000001DB7A8A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-81-0x000001DB7A8C0000-0x000001DB7A8C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-82-0x000001DB7B0E0000-0x000001DB7B180000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3648-83-0x000001DB7A8A0000-0x000001DB7A8A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4196-3-0x00000000006C0000-0x0000000000749000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4196-72-0x00000000006C0000-0x0000000000749000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4196-39-0x00000000006C0000-0x0000000000749000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4648-0-0x0000000000230000-0x00000000002B9000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4648-38-0x0000000000230000-0x00000000002B9000-memory.dmp

      Filesize

      548KB

      Download

    • memory/4648-30-0x0000000000230000-0x00000000002B9000-memory.dmp

      Filesize

      548KB

      Download