Overview

overview

7

Static

static

7

1641ed2f17...8f.exe

windows7-x64

7

1641ed2f17...8f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2023 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1641ed2f17c1aa821346204520da5596bfc342bb41ef1cf17db5743e4a39488f.exe

  • Size

    3.6MB

  • MD5

    3d7a1a8762588a0aef2b205af50411e8

  • SHA1

    eb4ed1959d3d671b6c125d01b80c8e3cf9bca1a4

  • SHA256

    1641ed2f17c1aa821346204520da5596bfc342bb41ef1cf17db5743e4a39488f

  • SHA512

    fa3be31901ef126433308e2b4b776f7aeeb3ae37b13c404bc8f76f2cdac40667597c0732938ea0e756d93a7ad0876ca788e2dec0b8af7477ad19ea560575de36

  • SSDEEP

    49152:is5SkP2lS1mdM03aT1PwXPwh11sXIAyT9tN93jF:B5SQrWM03o1EPs1sByTDF

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1641ed2f17c1aa821346204520da5596bfc342bb41ef1cf17db5743e4a39488f.exe
    "C:\Users\Admin\AppData\Local\Temp\1641ed2f17c1aa821346204520da5596bfc342bb41ef1cf17db5743e4a39488f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\SysWOW64\CertEnrollCtrl.exe
      "C:\Windows\SysWOW64\CertEnrollCtrl.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\SysWOW64\lodctr.exe
        "C:\Windows\SysWOW64\lodctr.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\Windows\SysWOW64\sdbinst.exe
          "C:\Windows\SysWOW64\sdbinst.exe"
          4⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:820
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1641ED~1.EXE > nul
      2⤵
        PID:4200

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\WindowRedSystem748.log
      Filesize

      7KB

      MD5

      38081bffd5a968666fdf67af0d1bf954

      SHA1

      9a032f6ea65546375217d9d17212bc86c882b901

      SHA256

      2d40acc6069a20a44ac399399f34afa221d6c66a24a33919a98c96631d5ddb03

      SHA512

      df2873b8ff9a8597bf845abc223fad480fd3dac0989577a918a9e7d04d865e3d538a7c4e894113bc634101ca7f156bedc717cd4e221569e832d54b130cad5f48

      Download Submit

    • C:\Windows\WindowSystemNewUpdate03.log
      Filesize

      7KB

      MD5

      75fd2e445a0a6e67a990ec9e3d89725e

      SHA1

      f31c33059a4985326499b9487d7be2b5d9dfbabb

      SHA256

      d2fb8b47ff5de2ae5e8b8413892771dba1a100270e5ef93a987ee6b31e050886

      SHA512

      3917ed7c2a4c15044f0835d43d5e2768f3792720bafb7f48ff1bd98f795e3079b1241e0e8abbd0eb13356d669f50c1cdf0f3e24a2cf5510dceace850ae8473ee

      Download Submit

    • C:\Windows\WindowSystemNewUpdate158.log
      Filesize

      4KB

      MD5

      5da8528b3775077e71f2691e0de569e0

      SHA1

      b4f41e9f87a3af66fe0575e58b0dadd72c00f22e

      SHA256

      da5a8821ba746c469afee86c3fa5062fea42336f92f50ecd387dd2328aff4a87

      SHA512

      3f051621c66af65c37259bc5af003fb68bf7e70db0722f6d6dc42e358780003cc52a4b4a6ef7a8d4a22e75f583bd1b2aef0fa114a35d1c029ef6a95e16ff000e

      Download Submit

    • memory/532-76-0x0000000000C40000-0x0000000000C5F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/532-97-0x0000000000FB0000-0x0000000000FD4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/532-147-0x0000000000FB0000-0x0000000000FD4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/820-282-0x0000000000ED0000-0x0000000000EEB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/820-172-0x0000000010000000-0x00000000105DF000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/820-169-0x0000000010000000-0x00000000105DF000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/820-151-0x0000000000ED0000-0x0000000000EEB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/820-149-0x0000000000600000-0x0000000000BEA000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/820-283-0x0000000010000000-0x00000000105DF000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/820-284-0x0000000010000000-0x00000000105DF000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1220-28-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-22-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-2-0x0000000000600000-0x000000000070D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1220-35-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-37-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-39-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-40-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-41-0x00000000033F0000-0x00000000038C3000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/1220-48-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-52-0x0000000004420000-0x0000000004536000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1220-62-0x0000000004420000-0x0000000004536000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1220-61-0x0000000004420000-0x0000000004536000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1220-64-0x0000000004420000-0x0000000004536000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1220-65-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-68-0x0000000004420000-0x0000000004536000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1220-67-0x0000000002CA0000-0x0000000002CD7000-memory.dmp

      Filesize

      220KB

      Download

    • memory/1220-71-0x0000000004420000-0x0000000004536000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1220-4-0x0000000000B30000-0x0000000000B4B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1220-77-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-82-0x0000000002DB0000-0x0000000002E17000-memory.dmp

      Filesize

      412KB

      Download

    • memory/1220-29-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-6-0x0000000000B30000-0x0000000000B4B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1220-25-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-24-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-167-0x0000000004420000-0x0000000004536000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1220-7-0x0000000000B30000-0x0000000000B4B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1220-19-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-16-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/1220-8-0x0000000010000000-0x00000000100FD000-memory.dmp

      Filesize

      1012KB

      Download

    • memory/3928-33-0x00000000008C0000-0x00000000009FC000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3928-0-0x00000000008C0000-0x00000000009FC000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3928-30-0x00000000008C0000-0x00000000009FC000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3928-34-0x00000000008C0000-0x00000000009FC000-memory.dmp

      Filesize

      1.2MB

      Download