Overview

overview

8

Static

static

3

2d5300a97b...9c.exe

windows7-x64

8

2d5300a97b...9c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2023 22:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d5300a97bda02a8c2a07eed49eabcfff1cfc94c82a3fe2a76f8b3fdbb16fd9c.exe

  • Size

    4.5MB

  • MD5

    f785ba32a1a864ffac675d3c25f0e2d2

  • SHA1

    6c4214617cb7abd4d245179f04d1d6eff7b08b33

  • SHA256

    2d5300a97bda02a8c2a07eed49eabcfff1cfc94c82a3fe2a76f8b3fdbb16fd9c

  • SHA512

    55e7763fbde84577ef8495a39e54d4507c484d0484ca9265430622d439563aed800750085a23821bf506b983b64a2f80f15bd270a03d03deb96b60492445d4b1

  • SSDEEP

    49152:kAL2w8IDI5DAar2Dkw7q9iRHbvlnCWPhkRtZnNs4T3Bet25zzry2uECF:L2hT5s+jkdy1x1zHNC

Score
8/10
upx

Malware Config

Signatures

  • Modifies RDP port number used by Windows 1 TTPs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d5300a97bda02a8c2a07eed49eabcfff1cfc94c82a3fe2a76f8b3fdbb16fd9c.exe
    "C:\Users\Admin\AppData\Local\Temp\2d5300a97bda02a8c2a07eed49eabcfff1cfc94c82a3fe2a76f8b3fdbb16fd9c.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Public\Downloads\ISpNQBHB\Y20ZR95a.exe
      "C:\Users\Public\Downloads\ISpNQBHB\Y20ZR95a.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo.>c:\xxxx.ini
        3⤵
          PID:2776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG
      Filesize

      6KB

      MD5

      e39405e85e09f64ccde0f59392317dd3

      SHA1

      9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

      SHA256

      cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

      SHA512

      6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG
      Filesize

      36KB

      MD5

      f6bf82a293b69aa5b47d4e2de305d45a

      SHA1

      4948716616d4bbe68be2b4c5bf95350402d3f96f

      SHA256

      6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

      SHA512

      edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

      Download Submit

    • C:\Users\Public\Downloads\ISpNQBHB\Edge.jpg
      Filesize

      358KB

      MD5

      1eea54e7d8da117c7f1ec5a647189832

      SHA1

      9c39c0ffee626a03f3712c327656708a46f85c78

      SHA256

      90ba6b523b9d35cf2f1ca2e402eceeecf94cda78aa13a48a9e1e75c3687c97fa

      SHA512

      65a0f9a618f524f950200bfb4f183fc0c7c9b5b8e0f4baf0d519f28e0e2f3f04e02ca805492ff43a235d272f3ea06adb3a825c9ee3c86ce10f4fb7640d29f755

      Download Submit

    • C:\Users\Public\Downloads\ISpNQBHB\Y20ZR95a.dat
      Filesize

      132KB

      MD5

      4149f0d8db7f8de3a56c630b9980bbdc

      SHA1

      c3c642f00b270f7f10eb0ea7c5eefce17f0ea80b

      SHA256

      5e7393708215984f021292743cfd59cb7fe2e03dd4d504663b19768efb4d84c2

      SHA512

      5dd2e1fe0aa82d91b591fd4b01e180b9888ba4c8d36107d64bde32b42a959425e38bc15cf79b677eda3a6b7d6831acde7cac99622dd0ef834ad2258ced1d2921

      Download Submit

    • C:\Users\Public\Downloads\ISpNQBHB\Y20ZR95a.exe
      Filesize

      529KB

      MD5

      49d595ab380b7c7a4cd6916eeb4dfe6f

      SHA1

      b84649fce92cc0e7a4d25599cc15ffaf312edc0b

      SHA256

      207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

      SHA512

      d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

      Download Submit

    • C:\Users\Public\Downloads\ISpNQBHB\edge.xml
      Filesize

      53KB

      MD5

      a2d73bcfbf7df25ebc202742e6b8cbad

      SHA1

      8f6c17ad94766e4b2d3b59578d3b35b37e9b4ac2

      SHA256

      07a4d9a2e853399163b3f8f0555b9ffdddf0f91697e3f7f9d0ca48115c43b646

      SHA512

      ed6d6d2619e8bd640e5d16d5efed64857c044e12cc39209cdbf636ed1afc42d637061890a0ec2d39643a5a63345d77c7da2d34e2be6594f8fd76b7f7ee79851a

      Download Submit

    • memory/2832-7-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2832-29-0x0000000002060000-0x0000000002061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2832-32-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-34-0x0000000010000000-0x0000000010061000-memory.dmp

      Filesize

      388KB

      Download

    • memory/2832-46-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download