Overview

overview

10

Static

static

3

aadb797f55...00.exe

windows7-x64

10

aadb797f55...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    16/11/2023, 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe

  • Size

    2.0MB

  • MD5

    2f3353e9de4535e858254b2f9ebe0e70

  • SHA1

    beb0fe2c7a977abf0f292477466be291fca80a9a

  • SHA256

    aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00

  • SHA512

    909bb4cd1108fefed5bdf68af29eb0fbc5584f6c9ce7b7a15790af2c24ac2898ab132e7e95b7ba636c131c645e8aee95ef749dc24f7f05c2eb3808ab6c2146d7

  • SSDEEP

    49152:8Us4vWvQznXPwh11sXIAyT9tN93ul/lDxqqqoqqqdT:ls4iKXPs1sByTNT

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
      • C:\ProgramData\autofmt.exe
        "C:\ProgramData\autofmt.exe"
        2⤵
        • Executes dropped EXE
        PID:2688
      • C:\charmap.exe
        "C:\charmap.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2788
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
        "C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe"
        2⤵
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:692
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\autofmt.exe
      Filesize

      746KB

      MD5

      04fafcaf36632e03b6bfc48275178349

      SHA1

      41191fd8abc13c88aec5a46281d1082a958ed2ff

      SHA256

      c45ee812712c7484d3869811af63d6e78ef885054fe702662104bde5635d8a73

      SHA512

      a251178601db5b53849a7514fc98853720d71e461373e3701289ca9d0c782edf63516bdedc60c17a0d0521db9bfb996a4ffe0d88ddd9ae8c875490bcf47c5f2e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab52A4.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar7219.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a18c84b5.tmp
      Filesize

      14.1MB

      MD5

      b66fb2f31bbc7538ade44d5f5d57675f

      SHA1

      30c2444dc89cbd6f099d21f00d432ade619ad13d

      SHA256

      3b09106f7813ab3e5b7350d269446298291a2722bdf65f705c749725c11fc2a5

      SHA512

      631307a706880c9fa87dc676169f6130c8150d266823dd7e446a29ea0726b9c81d1944f2cbdb3421b81a7770be90231dbc766aaa3d2cec16265c6f8249f47580

      Download Submit

    • C:\charmap.exe
      Filesize

      162KB

      MD5

      b4c2ce57f51b9f62956d256eb68973ed

      SHA1

      c6e1ff5d4720d344da996c128f987ce64354e584

      SHA256

      d584f2cdb5b31af93bb7e7e188a7575eafe18e0a786f36bd1236cac79d9bfaa4

      SHA512

      8bcdcf560c69e4bac0f2c611cbf7c27a347fdb00ceb9a160a117a0abffcc7763e2f7d4b8eecc1bccae3316c4dc69a2df75ddbde3222f63bc7fed5ef8b76f7921

      Download Submit

    • memory/420-42-0x0000000000870000-0x0000000000898000-memory.dmp

      Filesize

      160KB

      Download

    • memory/420-43-0x0000000000870000-0x0000000000898000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1304-86-0x0000000006BE0000-0x0000000006CD7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1304-20-0x0000000006BE0000-0x0000000006CD7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1304-16-0x0000000002A70000-0x0000000002A73000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1304-121-0x0000000005310000-0x00000000054D5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1304-116-0x0000000002A80000-0x0000000002A81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1304-17-0x0000000002A70000-0x0000000002A73000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1304-18-0x0000000002A70000-0x0000000002A73000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1304-69-0x0000000006BE0000-0x0000000006CD7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1304-19-0x0000000006BE0000-0x0000000006CD7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/2788-97-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-103-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-39-0x0000000001CD0000-0x0000000001D9B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2788-37-0x0000000001CD0000-0x0000000001D9B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2788-36-0x0000000001CD0000-0x0000000001D9B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2788-87-0x0000000001CD0000-0x0000000001D9B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2788-94-0x0000000037510000-0x0000000037520000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2788-96-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-28-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-98-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-99-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-100-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-101-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-38-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2788-102-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-104-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-108-0x0000000004F90000-0x00000000050B3000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2788-109-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-110-0x0000000005310000-0x00000000054D5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2788-111-0x0000000005310000-0x00000000054D5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2788-112-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-34-0x00000000001E0000-0x00000000001E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2788-120-0x0000000004F90000-0x00000000050B3000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2788-26-0x0000000000060000-0x0000000000123000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2788-31-0x00000000001E0000-0x00000000001E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2788-131-0x0000000005310000-0x00000000054D5000-memory.dmp

      Filesize

      1.8MB

      Download