Overview

overview

10

Static

static

7

abafe3257c...da.exe

windows7-x64

10

abafe3257c...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2023, 06:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    abafe3257cc419959314880b4ddb2fc30e32d82e5dfcf9d327fa8c1d4d3913da.exe

  • Size

    271KB

  • MD5

    18d84d594f51a6651fb81fe481e34253

  • SHA1

    c30c28a892b172f36b8ba136ade6312c394cc3e9

  • SHA256

    abafe3257cc419959314880b4ddb2fc30e32d82e5dfcf9d327fa8c1d4d3913da

  • SHA512

    2a5791910bf9e7bc48bc7a033d6359a008cf93c5bd8337463ef4de3358edcd27b5022a7ae45e6d6fe986a9c56eba2e1eb958e50434b0cf899c33eef429fd1aa9

  • SSDEEP

    6144:Gl51orRJXlDixHkUXe34cEOkCybEaQRXr9HNdvOa:OqXUHkUXe3GOkx2LIa

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 26 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:596
      • C:\Windows\Help\dialer.exe
        "C:\Windows\Help\dialer.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3740
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3228
      • C:\Users\Admin\AppData\Local\Temp\abafe3257cc419959314880b4ddb2fc30e32d82e5dfcf9d327fa8c1d4d3913da.exe
        "C:\Users\Admin\AppData\Local\Temp\abafe3257cc419959314880b4ddb2fc30e32d82e5dfcf9d327fa8c1d4d3913da.exe"
        2⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\abafe3257cc419959314880b4ddb2fc30e32d82e5dfcf9d327fa8c1d4d3913da.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:4312
    • C:\Windows\Syswow64\68235dd8
      C:\Windows\Syswow64\68235dd8
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\68235dd8"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:5076

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\83424323.tmp
            Filesize

            11.6MB

            MD5

            5244c87dbafa1f764b258766005dea73

            SHA1

            84cb8b4fb3e0910cfecfb31b6fa54c16d940e703

            SHA256

            077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40

            SHA512

            54d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438

            Download Submit

          • C:\Windows\Help\dialer.exe
            Filesize

            39KB

            MD5

            b2626bdcf079c6516fc016ac5646df93

            SHA1

            838268205bd97d62a31094d53643c356ea7848a6

            SHA256

            e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

            SHA512

            615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

            Download Submit

          • C:\Windows\Help\dialer.exe
            Filesize

            39KB

            MD5

            b2626bdcf079c6516fc016ac5646df93

            SHA1

            838268205bd97d62a31094d53643c356ea7848a6

            SHA256

            e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

            SHA512

            615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

            Download Submit

          • C:\Windows\SysWOW64\68235dd8
            Filesize

            271KB

            MD5

            a6e120e96e52b2c9b57eaebc3ecd3238

            SHA1

            a4e7b0ce655546bdf7085799a9d90fdccab234f0

            SHA256

            fb7dd68a1fd91994adaf7955fcde17f5ab5c955ee0d8b96e6018edcc1c817563

            SHA512

            2871af39de4a0c54923e7349fa4b0d1604553f5544620e6b35c5866a414392b3654698f381b77d282927ba72ffe57310defb986d1a247e2a4a8d4f42b5cc8d3d

            Download Submit

          • C:\Windows\SysWOW64\68235dd8
            Filesize

            271KB

            MD5

            a6e120e96e52b2c9b57eaebc3ecd3238

            SHA1

            a4e7b0ce655546bdf7085799a9d90fdccab234f0

            SHA256

            fb7dd68a1fd91994adaf7955fcde17f5ab5c955ee0d8b96e6018edcc1c817563

            SHA512

            2871af39de4a0c54923e7349fa4b0d1604553f5544620e6b35c5866a414392b3654698f381b77d282927ba72ffe57310defb986d1a247e2a4a8d4f42b5cc8d3d

            Download Submit

          • memory/596-29-0x000002A7B6E80000-0x000002A7B6E81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/596-27-0x000002A7B6E00000-0x000002A7B6E03000-memory.dmp

            Filesize

            12KB

            Download

          • memory/596-31-0x000002A7B6E10000-0x000002A7B6E38000-memory.dmp

            Filesize

            160KB

            Download

          • memory/596-71-0x000002A7B6E80000-0x000002A7B6E81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3228-15-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3228-16-0x00000000081C0000-0x00000000082B9000-memory.dmp

            Filesize

            996KB

            Download

          • memory/3228-12-0x0000000000AC0000-0x0000000000AC3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/3228-66-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3228-13-0x0000000000AC0000-0x0000000000AC3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/3228-10-0x0000000000AC0000-0x0000000000AC3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/3740-65-0x00007FFA6C1F0000-0x00007FFA6C200000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3740-73-0x0000023D1AAD0000-0x0000023D1AAD1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3740-24-0x00007FFA6C1F0000-0x00007FFA6C200000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3740-92-0x0000023D1B8E0000-0x0000023D1BAA5000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3740-91-0x0000023D1AAE0000-0x0000023D1AAE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3740-83-0x0000023D1AAC0000-0x0000023D1AAC2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3740-25-0x0000023D19040000-0x0000023D19041000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3740-67-0x0000023D1AAB0000-0x0000023D1AAB2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3740-82-0x0000023D1B8E0000-0x0000023D1BAA5000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3740-69-0x0000023D1A850000-0x0000023D1A91B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/3740-70-0x0000023D19040000-0x0000023D19041000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3740-23-0x0000023D1A850000-0x0000023D1A91B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/3740-72-0x0000023D1AAC0000-0x0000023D1AAC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3740-20-0x0000023D18D40000-0x0000023D18D43000-memory.dmp

            Filesize

            12KB

            Download

          • memory/3740-74-0x0000023D1AAC0000-0x0000023D1AAC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3740-75-0x0000023D1AAD0000-0x0000023D1AAD1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3740-76-0x0000023D1B8E0000-0x0000023D1BAA5000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3740-78-0x0000023D1AAC0000-0x0000023D1AAC2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3740-77-0x0000023D1AAC0000-0x0000023D1AAC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3740-79-0x0000023D1AAC0000-0x0000023D1AAC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3740-80-0x0000023D1AAD0000-0x0000023D1AAD1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4764-68-0x00000000002E0000-0x0000000000369000-memory.dmp

            Filesize

            548KB

            Download

          • memory/4764-4-0x00000000002E0000-0x0000000000369000-memory.dmp

            Filesize

            548KB

            Download

          • memory/4764-39-0x00000000002E0000-0x0000000000369000-memory.dmp

            Filesize

            548KB

            Download

          • memory/5112-30-0x00000000008B0000-0x0000000000939000-memory.dmp

            Filesize

            548KB

            Download

          • memory/5112-0-0x00000000008B0000-0x0000000000939000-memory.dmp

            Filesize

            548KB

            Download

          • memory/5112-32-0x00000000008B0000-0x0000000000939000-memory.dmp

            Filesize

            548KB

            Download