Overview

overview

10

Static

static

7

46975109aa...02.exe

windows7-x64

10

46975109aa...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2023, 08:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    46975109aa4c05a5301ca4bcd1ae26c743caa723a772863c57bdcf721a100d02.exe

  • Size

    2.4MB

  • MD5

    e5eef0e0c5daf17bee42a5fbf42c01cd

  • SHA1

    0f73635c6075af79214ea8256fecbe46efe567f5

  • SHA256

    46975109aa4c05a5301ca4bcd1ae26c743caa723a772863c57bdcf721a100d02

  • SHA512

    6b888802e97fa46562d059973415cf33c4404e9415ed7eb4d3140cd73d57b99b0b7b8dc32e3ddb62804852a415b53d5babadd1ced07f94de0826bfb260ac1911

  • SSDEEP

    24576:bjSokU1rigjSow13JbKkKF/eMNPj7F5vvFvXn:bjSn6rigjSt59KFeMJF5vvFvXn

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
      • C:\Windows\Inf\wevtutil.exe
        "C:\Windows\Inf\wevtutil.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Users\Admin\AppData\Local\Temp\46975109aa4c05a5301ca4bcd1ae26c743caa723a772863c57bdcf721a100d02.exe
        "C:\Users\Admin\AppData\Local\Temp\46975109aa4c05a5301ca4bcd1ae26c743caa723a772863c57bdcf721a100d02.exe"
        2⤵
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2080
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\46975109aa4c05a5301ca4bcd1ae26c743caa723a772863c57bdcf721a100d02.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:1692

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Cab3FFF.tmp
            Filesize

            61KB

            MD5

            f3441b8572aae8801c04f3060b550443

            SHA1

            4ef0a35436125d6821831ef36c28ffaf196cda15

            SHA256

            6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

            SHA512

            5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Tar631B.tmp
            Filesize

            163KB

            MD5

            9441737383d21192400eca82fda910ec

            SHA1

            725e0d606a4fc9ba44aa8ffde65bed15e65367e4

            SHA256

            bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

            SHA512

            7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\a18167e6.tmp
            Filesize

            14.1MB

            MD5

            a7ef23896bd75e4cf69595d10cac31ac

            SHA1

            6882cc47f35317decd34213a550473c6aa83a908

            SHA256

            3148f6ce8f8cd6246cb222715925a6a6066d573e92bf5441a8f191884870810c

            SHA512

            1f8efa9855b5f9b768a2cd445986de7f5c4a2adec31afa5b92530651a8f99fcb43f25eaa2469c5ea7c1e7e04b3a5fd41f61bc1b322d9489ad11494ad4164f08c

            Download Submit

          • C:\Windows\inf\wevtutil.exe
            Filesize

            267KB

            MD5

            dab04a7a5f67d2da07fc968eec76a5d2

            SHA1

            bdcf4b78b6d6f45edc9d226ce05b7adc3b366248

            SHA256

            0dd7d2a9e56ae356591c1792efb68a90fd76a7787e0b597fcbc4ef1fa514b601

            SHA512

            68d0b9444c1c6672ec76f5e609e97cdbdcffd26bd9fb0105034c49c2c21016f50e590082c5fe564abf5c639dc1b5bc9e5f732ed70d240a3934796492217cd889

            Download Submit

          • \Windows\inf\wevtutil.exe
            Filesize

            267KB

            MD5

            dab04a7a5f67d2da07fc968eec76a5d2

            SHA1

            bdcf4b78b6d6f45edc9d226ce05b7adc3b366248

            SHA256

            0dd7d2a9e56ae356591c1792efb68a90fd76a7787e0b597fcbc4ef1fa514b601

            SHA512

            68d0b9444c1c6672ec76f5e609e97cdbdcffd26bd9fb0105034c49c2c21016f50e590082c5fe564abf5c639dc1b5bc9e5f732ed70d240a3934796492217cd889

            Download Submit

          • memory/424-44-0x0000000000870000-0x0000000000898000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1232-18-0x00000000029E0000-0x00000000029E3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1232-19-0x00000000029E0000-0x00000000029E3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1232-97-0x0000000006B00000-0x0000000006BF9000-memory.dmp

            Filesize

            996KB

            Download

          • memory/1232-20-0x0000000006B00000-0x0000000006BF9000-memory.dmp

            Filesize

            996KB

            Download

          • memory/1232-17-0x00000000029E0000-0x00000000029E3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2080-0-0x0000000000AE0000-0x0000000000B4E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2080-96-0x0000000000AE0000-0x0000000000B4E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2080-79-0x0000000000AE0000-0x0000000000B4E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2080-43-0x0000000000AE0000-0x0000000000B4E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2804-26-0x0000000000060000-0x0000000000061000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2804-99-0x0000000001E90000-0x0000000001E91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2804-36-0x0000000001CC0000-0x0000000001D8B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2804-80-0x0000000036F60000-0x0000000036F70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2804-82-0x0000000000870000-0x0000000000898000-memory.dmp

            Filesize

            160KB

            Download

          • memory/2804-38-0x000007FEBDC70000-0x000007FEBDC80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2804-39-0x0000000001CC0000-0x0000000001D8B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2804-32-0x0000000000090000-0x0000000000093000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2804-98-0x0000000001CC0000-0x0000000001D8B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2804-40-0x0000000000240000-0x0000000000241000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2804-100-0x0000000001E90000-0x0000000001E91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2804-101-0x0000000004470000-0x0000000004635000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2804-102-0x0000000004470000-0x0000000004635000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2804-103-0x0000000001F20000-0x0000000001F21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2804-104-0x0000000001E90000-0x0000000001E91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2804-105-0x0000000004470000-0x0000000004635000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2804-24-0x0000000000150000-0x0000000000213000-memory.dmp

            Filesize

            780KB

            Download