Overview

overview

8

Static

static

7

4a63c82c08...38.exe

windows7-x64

8

4a63c82c08...38.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2023, 03:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4a63c82c08fe3dab78d0be7192bdfe4c811c188d28fb98323f92dca44045e038.exe

  • Size

    4.4MB

  • MD5

    4459ddf6f1c3484e5f9cdbeda941aa99

  • SHA1

    359b03153d3deb165b1f10ccfdae8fdf82d5e294

  • SHA256

    4a63c82c08fe3dab78d0be7192bdfe4c811c188d28fb98323f92dca44045e038

  • SHA512

    2cfe1b9b58174e3d8603654669a86e0821a3a7868ce479cd357593a07c16bf24ca3921707b3f3521b7bada1cfe97a8b99f2ebb0c693ea4ec52a058a56e3cd29f

  • SSDEEP

    49152:oTGkQk5QZuTtS0rQMYOQ+q8CEjTG4QWTGHQ39KFeM7:oKkrWsM0r1QnIK4LKHw0Feu

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Manipulates Digital Signatures 1 TTPs 1 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Users\Admin\AppData\Local\Temp\4a63c82c08fe3dab78d0be7192bdfe4c811c188d28fb98323f92dca44045e038.exe
        "C:\Users\Admin\AppData\Local\Temp\4a63c82c08fe3dab78d0be7192bdfe4c811c188d28fb98323f92dca44045e038.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\4a63c82c08fe3dab78d0be7192bdfe4c811c188d28fb98323f92dca44045e038.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1916
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:688
      • C:\Windows\SndVol.exe
        "C:\Windows\SndVol.exe"
        2⤵
        • Drops file in Drivers directory
        • Manipulates Digital Signatures
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2844
    • C:\Windows\Syswow64\32e74d4d
      C:\Windows\Syswow64\32e74d4d
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\32e74d4d"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:2532

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Tar9CCD.tmp
            Filesize

            163KB

            MD5

            9441737383d21192400eca82fda910ec

            SHA1

            725e0d606a4fc9ba44aa8ffde65bed15e65367e4

            SHA256

            bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

            SHA512

            7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

            Download Submit

          • C:\Windows\SndVol.exe
            Filesize

            267KB

            MD5

            c3489639ec8e181044f6c6bfd3d01ac9

            SHA1

            e057c90b675a6da19596b0ac458c25d7440b7869

            SHA256

            a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

            SHA512

            63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

            Download Submit

          • C:\Windows\SysWOW64\32e74d4d
            Filesize

            4.4MB

            MD5

            9cf87e4a33d5d7485b010512b5728fa4

            SHA1

            193a9e4a0a64bd3b4945fcb1aaba267bd52427d1

            SHA256

            0b7d6fa16f636bef00f7bbabeacb797b688c9ecf9fa7b0a88e455e6e511124e3

            SHA512

            05d93d59570fddbc3d3ca25a0b30216a43baa18c7d7df984f5e14d316b501b18cffef36e0f660c33c3f18be44f283c7952e529b261033430ad2785d8cdb6aa06

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            61KB

            MD5

            f3441b8572aae8801c04f3060b550443

            SHA1

            4ef0a35436125d6821831ef36c28ffaf196cda15

            SHA256

            6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

            SHA512

            5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

            Download Submit

          • C:\Windows\Syswow64\32e74d4d
            Filesize

            4.4MB

            MD5

            9cf87e4a33d5d7485b010512b5728fa4

            SHA1

            193a9e4a0a64bd3b4945fcb1aaba267bd52427d1

            SHA256

            0b7d6fa16f636bef00f7bbabeacb797b688c9ecf9fa7b0a88e455e6e511124e3

            SHA512

            05d93d59570fddbc3d3ca25a0b30216a43baa18c7d7df984f5e14d316b501b18cffef36e0f660c33c3f18be44f283c7952e529b261033430ad2785d8cdb6aa06

            Download Submit

          • memory/420-48-0x0000000000900000-0x0000000000928000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1240-144-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-140-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-156-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-26-0x0000000006520000-0x0000000006617000-memory.dmp

            Filesize

            988KB

            Download

          • memory/1240-154-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-152-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-150-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-148-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-146-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-25-0x0000000006520000-0x0000000006617000-memory.dmp

            Filesize

            988KB

            Download

          • memory/1240-120-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-142-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-23-0x00000000029E0000-0x00000000029E3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1240-158-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-21-0x00000000029E0000-0x00000000029E3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1240-161-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-97-0x0000000006520000-0x0000000006617000-memory.dmp

            Filesize

            988KB

            Download

          • memory/1240-138-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-136-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-134-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-132-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-130-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-128-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-126-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-124-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1240-122-0x0000000002A10000-0x0000000002A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1736-49-0x0000000000AD0000-0x0000000000B59000-memory.dmp

            Filesize

            548KB

            Download

          • memory/1736-47-0x0000000000AD0000-0x0000000000B59000-memory.dmp

            Filesize

            548KB

            Download

          • memory/1736-0-0x0000000000AD0000-0x0000000000B59000-memory.dmp

            Filesize

            548KB

            Download

          • memory/2844-44-0x000007FEBDE40000-0x000007FEBDE50000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2844-116-0x00000000005F0000-0x00000000005F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2844-113-0x0000000003A80000-0x0000000003B20000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2844-112-0x00000000005F0000-0x00000000005F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2844-111-0x0000000001EC0000-0x0000000001F8B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2844-110-0x00000000005F0000-0x00000000005F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2844-109-0x0000000000900000-0x0000000000928000-memory.dmp

            Filesize

            160KB

            Download

          • memory/2844-107-0x0000000037A40000-0x0000000037A50000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2844-248-0x0000000003A80000-0x0000000003B20000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2844-247-0x00000000005F0000-0x00000000005F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2844-115-0x0000000000610000-0x000000000061F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2844-114-0x0000000003A80000-0x0000000003B20000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2844-42-0x0000000001EC0000-0x0000000001F8B000-memory.dmp

            Filesize

            812KB

            Download

          • memory/2844-118-0x00000000005F0000-0x00000000005F5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/2844-40-0x00000000001E0000-0x00000000001E3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2844-36-0x00000000001E0000-0x00000000001E3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2844-31-0x0000000000060000-0x0000000000061000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2844-29-0x0000000000100000-0x00000000001C3000-memory.dmp

            Filesize

            780KB

            Download

          • memory/2856-3-0x0000000000D40000-0x0000000000DC9000-memory.dmp

            Filesize

            548KB

            Download

          • memory/2856-60-0x0000000000D40000-0x0000000000DC9000-memory.dmp

            Filesize

            548KB

            Download

          • memory/2856-80-0x0000000000D40000-0x0000000000DC9000-memory.dmp

            Filesize

            548KB

            Download