Overview

overview

8

Static

static

3

2d5300a97b...9c.exe

windows7-x64

8

2d5300a97b...9c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2023, 22:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d5300a97bda02a8c2a07eed49eabcfff1cfc94c82a3fe2a76f8b3fdbb16fd9c.exe

  • Size

    4.5MB

  • MD5

    f785ba32a1a864ffac675d3c25f0e2d2

  • SHA1

    6c4214617cb7abd4d245179f04d1d6eff7b08b33

  • SHA256

    2d5300a97bda02a8c2a07eed49eabcfff1cfc94c82a3fe2a76f8b3fdbb16fd9c

  • SHA512

    55e7763fbde84577ef8495a39e54d4507c484d0484ca9265430622d439563aed800750085a23821bf506b983b64a2f80f15bd270a03d03deb96b60492445d4b1

  • SSDEEP

    49152:kAL2w8IDI5DAar2Dkw7q9iRHbvlnCWPhkRtZnNs4T3Bet25zzry2uECF:L2hT5s+jkdy1x1zHNC

Score
8/10
upx

Malware Config

Signatures

  • Modifies RDP port number used by Windows 1 TTPs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d5300a97bda02a8c2a07eed49eabcfff1cfc94c82a3fe2a76f8b3fdbb16fd9c.exe
    "C:\Users\Admin\AppData\Local\Temp\2d5300a97bda02a8c2a07eed49eabcfff1cfc94c82a3fe2a76f8b3fdbb16fd9c.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Public\Downloads\ISpNQBHB\Y20ZR95a.exe
      "C:\Users\Public\Downloads\ISpNQBHB\Y20ZR95a.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo.>c:\xxxx.ini
        3⤵
          PID:2776

    Network

    • flag-us
      DNS
      wtkblq.com
      Y20ZR95a.exe
      Remote address:
      8.8.8.8:53
      Request
      wtkblq.com
      IN A
      Response
      wtkblq.com
      IN A
      127.0.0.1
    • 134.122.132.115:7000
      Y20ZR95a.exe
      1.2kB
       420 B
       11
      10
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 127.0.0.1:7070
      Y20ZR95a.exe
    • 8.8.8.8:53
      wtkblq.com
      dns
      Y20ZR95a.exe
      56 B
       72 B
       1
      1

      DNS Request

      wtkblq.com

      DNS Response

      127.0.0.1

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG
      Filesize

      6KB

      MD5

      e39405e85e09f64ccde0f59392317dd3

      SHA1

      9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

      SHA256

      cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

      SHA512

      6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG
      Filesize

      36KB

      MD5

      f6bf82a293b69aa5b47d4e2de305d45a

      SHA1

      4948716616d4bbe68be2b4c5bf95350402d3f96f

      SHA256

      6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

      SHA512

      edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

      Download Submit

    • C:\Users\Public\Downloads\ISpNQBHB\Edge.jpg
      Filesize

      358KB

      MD5

      1eea54e7d8da117c7f1ec5a647189832

      SHA1

      9c39c0ffee626a03f3712c327656708a46f85c78

      SHA256

      90ba6b523b9d35cf2f1ca2e402eceeecf94cda78aa13a48a9e1e75c3687c97fa

      SHA512

      65a0f9a618f524f950200bfb4f183fc0c7c9b5b8e0f4baf0d519f28e0e2f3f04e02ca805492ff43a235d272f3ea06adb3a825c9ee3c86ce10f4fb7640d29f755

      Download Submit

    • C:\Users\Public\Downloads\ISpNQBHB\Y20ZR95a.dat
      Filesize

      132KB

      MD5

      4149f0d8db7f8de3a56c630b9980bbdc

      SHA1

      c3c642f00b270f7f10eb0ea7c5eefce17f0ea80b

      SHA256

      5e7393708215984f021292743cfd59cb7fe2e03dd4d504663b19768efb4d84c2

      SHA512

      5dd2e1fe0aa82d91b591fd4b01e180b9888ba4c8d36107d64bde32b42a959425e38bc15cf79b677eda3a6b7d6831acde7cac99622dd0ef834ad2258ced1d2921

      Download Submit

    • C:\Users\Public\Downloads\ISpNQBHB\Y20ZR95a.exe
      Filesize

      529KB

      MD5

      49d595ab380b7c7a4cd6916eeb4dfe6f

      SHA1

      b84649fce92cc0e7a4d25599cc15ffaf312edc0b

      SHA256

      207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

      SHA512

      d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

      Download Submit

    • C:\Users\Public\Downloads\ISpNQBHB\edge.xml
      Filesize

      53KB

      MD5

      a2d73bcfbf7df25ebc202742e6b8cbad

      SHA1

      8f6c17ad94766e4b2d3b59578d3b35b37e9b4ac2

      SHA256

      07a4d9a2e853399163b3f8f0555b9ffdddf0f91697e3f7f9d0ca48115c43b646

      SHA512

      ed6d6d2619e8bd640e5d16d5efed64857c044e12cc39209cdbf636ed1afc42d637061890a0ec2d39643a5a63345d77c7da2d34e2be6594f8fd76b7f7ee79851a

      Download Submit

    • memory/2832-7-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2832-29-0x0000000002060000-0x0000000002061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2832-32-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-34-0x0000000010000000-0x0000000010061000-memory.dmp

      Filesize

      388KB

      Download

    • memory/2832-46-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.