Overview

overview

10

Static

static

7

4818636521...16.exe

windows7-x64

10

4818636521...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    13/11/2023, 08:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    48186365216fc65399a1993865d03b35671ee612f53a7e2344b8f4438cb4ab16.exe

  • Size

    223KB

  • MD5

    9d03ac6f029b8a34a32bd7b4a20d0afa

  • SHA1

    91320d21500789f2134cb65c1b63907503fbcae8

  • SHA256

    48186365216fc65399a1993865d03b35671ee612f53a7e2344b8f4438cb4ab16

  • SHA512

    dfec2c018dfd8e0ea3924367b7c716afac6512686d1bf29e8353560048a246678913dbe173ad9e49d3143114b85d27538f4e3d872b84cb2cb335d5cbd6f14123

  • SSDEEP

    6144:ewPSUONLNsuWA7koN+boRhZ2VUUaSaE0A6Xvd2:eOuW5o/oVU1r5w

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
      • C:\Windows\vssadmin.exe
        "C:\Windows\vssadmin.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2184
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Users\Admin\AppData\Local\Temp\48186365216fc65399a1993865d03b35671ee612f53a7e2344b8f4438cb4ab16.exe
        "C:\Users\Admin\AppData\Local\Temp\48186365216fc65399a1993865d03b35671ee612f53a7e2344b8f4438cb4ab16.exe"
        2⤵
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\48186365216fc65399a1993865d03b35671ee612f53a7e2344b8f4438cb4ab16.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:1240

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\CabAE99.tmp
            Filesize

            61KB

            MD5

            f3441b8572aae8801c04f3060b550443

            SHA1

            4ef0a35436125d6821831ef36c28ffaf196cda15

            SHA256

            6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

            SHA512

            5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TarC94D.tmp
            Filesize

            163KB

            MD5

            9441737383d21192400eca82fda910ec

            SHA1

            725e0d606a4fc9ba44aa8ffde65bed15e65367e4

            SHA256

            bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

            SHA512

            7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\a18dc096.tmp
            Filesize

            14.1MB

            MD5

            a7ef23896bd75e4cf69595d10cac31ac

            SHA1

            6882cc47f35317decd34213a550473c6aa83a908

            SHA256

            3148f6ce8f8cd6246cb222715925a6a6066d573e92bf5441a8f191884870810c

            SHA512

            1f8efa9855b5f9b768a2cd445986de7f5c4a2adec31afa5b92530651a8f99fcb43f25eaa2469c5ea7c1e7e04b3a5fd41f61bc1b322d9489ad11494ad4164f08c

            Download Submit

          • C:\Windows\vssadmin.exe
            Filesize

            163KB

            MD5

            e23dd973e1444684eb36365deff1fc74

            SHA1

            09fafeb1b8404124b33c44440be7e3fdb6105f8a

            SHA256

            4de7fa20e3224382d8c4a81017e5bdd4673afbef9c0f017e203d7b78977fbf8c

            SHA512

            c0b805347f0d968f09c80d67d33851aea6dd015411fbbc5cd50f03c2078354184b1cb37564fb69bdf5392f1fb6f16e9f7854f7a4117fdddd8d0a9c25bc8bb652

            Download Submit

          • memory/424-40-0x0000000000890000-0x00000000008B8000-memory.dmp

            Filesize

            160KB

            Download

          • memory/424-39-0x0000000000890000-0x00000000008B8000-memory.dmp

            Filesize

            160KB

            Download

          • memory/424-99-0x0000000000890000-0x00000000008B8000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1328-18-0x0000000002A10000-0x0000000002A13000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1328-21-0x0000000007020000-0x0000000007119000-memory.dmp

            Filesize

            996KB

            Download

          • memory/1328-93-0x0000000007020000-0x0000000007119000-memory.dmp

            Filesize

            996KB

            Download

          • memory/1328-20-0x0000000007020000-0x0000000007119000-memory.dmp

            Filesize

            996KB

            Download

          • memory/1328-17-0x0000000002A10000-0x0000000002A13000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2116-0-0x00000000002F0000-0x000000000035E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2116-89-0x00000000002F0000-0x000000000035E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2116-60-0x00000000002F0000-0x000000000035E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2184-90-0x0000000036FA0000-0x0000000036FB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2184-26-0x0000000000130000-0x0000000000131000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-36-0x0000000001DB0000-0x0000000001E7B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2184-34-0x0000000001DB0000-0x0000000001E7B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2184-92-0x0000000000890000-0x00000000008B8000-memory.dmp

            Filesize

            160KB

            Download

          • memory/2184-24-0x0000000000060000-0x0000000000123000-memory.dmp

            Filesize

            780KB

            Download

          • memory/2184-94-0x0000000000650000-0x000000000065A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2184-95-0x0000000000650000-0x000000000065A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2184-96-0x0000000000650000-0x0000000000651000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-97-0x0000000001DB0000-0x0000000001E7B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2184-98-0x0000000000650000-0x0000000000651000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-35-0x000007FEBEF80000-0x000007FEBEF90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2184-100-0x00000000047A0000-0x0000000004965000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2184-101-0x00000000047A0000-0x0000000004965000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2184-102-0x0000000000660000-0x0000000000661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-103-0x0000000000650000-0x000000000065A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2184-104-0x0000000000650000-0x000000000065A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2184-105-0x0000000000650000-0x000000000065A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2184-107-0x0000000000650000-0x0000000000651000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-106-0x0000000000650000-0x000000000065A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2184-29-0x0000000000160000-0x0000000000163000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2184-113-0x00000000047A0000-0x0000000004965000-memory.dmp

            Filesize

            1.8MB

            Download