Overview

overview

8

Static

static

7

c6610e62bf...94.exe

windows7-x64

8

c6610e62bf...94.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2023, 21:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c6610e62bf945df372ca7939370140e967a9b40142e287a3581fca6bdc08d394.exe

  • Size

    2.7MB

  • MD5

    146f01cf45bb55604675d90e4d0343f0

  • SHA1

    b795751b3db481886e56a517b3cef465f8056074

  • SHA256

    c6610e62bf945df372ca7939370140e967a9b40142e287a3581fca6bdc08d394

  • SHA512

    16ad090cf62a235ef7b5a796f3b402e726003be13481a654ba0b844bfe24cf736d524654ef93d15b7c333030f8e752c296ef03a6e71eb3ccb1901ab82af934f0

  • SSDEEP

    49152:WjS1c85QZuTtS0rQMYOQ+q8CE1jSn6ri+jStG9KFeMS:97WsM0r1QnAOdG0Fen

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:624
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Users\Admin\AppData\Local\Temp\c6610e62bf945df372ca7939370140e967a9b40142e287a3581fca6bdc08d394.exe
        "C:\Users\Admin\AppData\Local\Temp\c6610e62bf945df372ca7939370140e967a9b40142e287a3581fca6bdc08d394.exe"
        2⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2064
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\c6610e62bf945df372ca7939370140e967a9b40142e287a3581fca6bdc08d394.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:1660
      • C:\Windows\Fonts\DWWIN.EXE
        "C:\Windows\Fonts\DWWIN.EXE"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1220

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Fonts\DWWIN.EXE
            Filesize

            229KB

            MD5

            444cc4d3422a0fdd45c1b78070026c60

            SHA1

            97162ff341fff1ec54b827ec02f8b86fd2d41a97

            SHA256

            4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

            SHA512

            21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

            Download Submit

          • memory/624-58-0x00000174417E0000-0x00000174417E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/624-20-0x00000174417B0000-0x00000174417D8000-memory.dmp

            Filesize

            160KB

            Download

          • memory/624-19-0x00000174417E0000-0x00000174417E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/624-17-0x00000174413F0000-0x00000174413F3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1220-60-0x0000016B840C0000-0x0000016B840C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-75-0x0000016B840B0000-0x0000016B840B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1220-86-0x0000016B83E90000-0x0000016B83E91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-12-0x0000016B83730000-0x0000016B837FB000-memory.dmp

            Filesize

            812KB

            Download

          • memory/1220-14-0x0000016B83730000-0x0000016B837FB000-memory.dmp

            Filesize

            812KB

            Download

          • memory/1220-15-0x00007FF8282B0000-0x00007FF8282C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1220-13-0x0000016B81E20000-0x0000016B81E21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-85-0x0000016B83E90000-0x0000016B83E91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-84-0x0000016B83E90000-0x0000016B83E91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-83-0x0000016B83E90000-0x0000016B83E91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-82-0x0000016B83E90000-0x0000016B83E91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-81-0x0000016B84270000-0x0000016B84271000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-80-0x0000016B84270000-0x0000016B84271000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-65-0x0000016B840B0000-0x0000016B840B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-55-0x0000016B81E20000-0x0000016B81E21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-64-0x0000016B84110000-0x0000016B841B0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1220-57-0x0000016B83730000-0x0000016B837FB000-memory.dmp

            Filesize

            812KB

            Download

          • memory/1220-78-0x0000016B84270000-0x0000016B8427D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/1220-59-0x0000016B840B0000-0x0000016B840B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-77-0x0000016B84280000-0x0000016B84281000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-61-0x0000016B83EA0000-0x0000016B83EA1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-62-0x0000016B840C0000-0x0000016B840CF000-memory.dmp

            Filesize

            60KB

            Download

          • memory/1220-76-0x0000016B841B0000-0x0000016B841B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-56-0x00007FF8282B0000-0x00007FF8282C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1220-79-0x0000016B84270000-0x0000016B84271000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-66-0x0000016B840B0000-0x0000016B840B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1220-67-0x0000016B840B0000-0x0000016B840B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-68-0x0000016B840B0000-0x0000016B840B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-69-0x0000016B84270000-0x0000016B84271000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-70-0x0000016B840B0000-0x0000016B840B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-71-0x0000016B84270000-0x0000016B8427D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/1220-72-0x0000016B84110000-0x0000016B841B0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1220-74-0x0000016B84270000-0x0000016B84271000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-73-0x0000016B84270000-0x0000016B84271000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1220-63-0x0000016B840C0000-0x0000016B840C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2064-0-0x00000000009B0000-0x0000000000A1E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2064-44-0x00000000009B0000-0x0000000000A1E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2064-25-0x00000000009B0000-0x0000000000A1E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2064-10-0x00000000009B0000-0x0000000000A1E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/3140-6-0x0000000008020000-0x0000000008117000-memory.dmp

            Filesize

            988KB

            Download

          • memory/3140-1-0x0000000000AB0000-0x0000000000AB3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/3140-45-0x0000000008020000-0x0000000008117000-memory.dmp

            Filesize

            988KB

            Download

          • memory/3140-43-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3140-2-0x0000000000AB0000-0x0000000000AB3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/3140-3-0x0000000000AB0000-0x0000000000AB3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/3140-5-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

            Filesize

            4KB

            Download