Overview

overview

10

Static

static

3

0f026bef84...44.exe

windows7-x64

10

0f026bef84...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    170s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 19:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0f026bef8497788d59923949f52b9644.exe

  • Size

    476KB

  • MD5

    0f026bef8497788d59923949f52b9644

  • SHA1

    efd6b5748d00612cbdc663a6084ebc0ff0bf6bdf

  • SHA256

    31d6810df2cc38c19f87e3ff65df5c60e3624473c7f120125ad0371a4983aec5

  • SHA512

    f4609e593d8a4b229affb3e28b23277d8c16c4c4f4bc969f8e668fc6a7100422f34408261d30b00cc9a5bebcf4c0585cfe26e7761863bdd43eebed52bfd8d5ea

  • SSDEEP

    12288:1k8HAXwdAnc2i+zinpRUF2oMPze+0gKG3UPPxf:1zgXwd7F+zinj2lM6+0gL

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f026bef8497788d59923949f52b9644.exe
    "C:\Users\Admin\AppData\Local\Temp\0f026bef8497788d59923949f52b9644.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Users\Admin\ana7e3.exe
      C:\Users\Admin\ana7e3.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Users\Admin\liewue.exe
        "C:\Users\Admin\liewue.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4504
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del ana7e3.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4116
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4608
    • C:\Users\Admin\axlog.exe
      C:\Users\Admin\axlog.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Users\Admin\axlog.exe
        "C:\Users\Admin\axlog.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1984
    • C:\Users\Admin\dxlog.exe
      C:\Users\Admin\dxlog.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3828
    • C:\Users\Admin\fxlog.exe
      C:\Users\Admin\fxlog.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:556
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del 0f026bef8497788d59923949f52b9644.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4520
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:388

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\ana7e3.exe
            Filesize

            228KB

            MD5

            290efbf2f76c4ef6f2a4b21f68b29888

            SHA1

            3a6454771d5975be4bb806738dca76ca4f8faaca

            SHA256

            e61900f8b18ceb66802b0058a24677f6396df1c0ab8a4ac2281fd47929fbaf24

            SHA512

            c23a40effe75396e7a4d3eea5ffdf0807c076598fda76ea399e320731c56835bee19e3ef4413d7965c17e976cf9a06d0694f4fbfbb4917cb28b0fb3627e5b008

            Download Submit

          • C:\Users\Admin\axlog.exe
            Filesize

            76KB

            MD5

            925c20785e84c26666346a44251104c8

            SHA1

            2dd55917d669a1165284e1344965a7c35c5c552f

            SHA256

            7f8af46b5be6d1240777d240352f20c33e41f41f0334c02643aa7890c5d88f1a

            SHA512

            67b2a7d986793d1d18d63a5697c0a6f018211b3c01b481ff95663fd874ba14c8bc96f3695022d4637e4819ad669eb3d08e3f267c9631af2c4871982a49df958b

            Download Submit

          • C:\Users\Admin\dxlog.exe
            Filesize

            48KB

            MD5

            64babba1f00427096c6142b81e05c9b0

            SHA1

            9afad4f72b5bdd4ef164d02f824c7b2be5d732c6

            SHA256

            5d2419c5555890192f5b966fb24316778d1ce27728aecab0557225945ea2d6c2

            SHA512

            7abf1d9d83066d1c938a040cacb9da852ca0f7660520840b045d761d2781b7ba1263ecad9178d17026c63c26e45cafad59d3f18afc6d349fb51c06936ec785b0

            Download Submit

          • C:\Users\Admin\fxlog.exe
            Filesize

            270KB

            MD5

            790180622412379c23115e59fb7022be

            SHA1

            012b064113171c300519a4f7f10beb15c1c285b2

            SHA256

            f00f2d7ae9eb7ee10636f29acd947da0f1235574c6dcd918e5dc5358287fd613

            SHA512

            039c8da89d65d58ae021ce4532c842fcda357d5b2580b28d124c76d29a67374414dacf574bf209c044e04819d52e6c4521ed24546b4bfb06aead7a3cfc1e99d4

            Download Submit

          • C:\Users\Admin\liewue.exe
            Filesize

            228KB

            MD5

            cc1c1d42811360cf96e9f25a6cf47452

            SHA1

            bc4cfca190095b413114a60e714e3e4399c9a075

            SHA256

            88e8065a53d11eabd07c93972f5db80e8a8aa92e7e12b1bd0bb9bd98a4672207

            SHA512

            b16449b338b1811b979d31050fab5bf982cba27e4052732651a136cc8ba8f91dae00b071522d0a17dadbaeb99b39e97cb7be382ec56294444bfdbe24f2bbfb07

            Download Submit

          • memory/1984-50-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1984-54-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1984-51-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1984-47-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4476-76-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4476-77-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/4476-78-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/4476-79-0x0000000002980000-0x00000000029C6000-memory.dmp

            Filesize

            280KB

            Download

          • memory/4476-80-0x0000000002E50000-0x0000000002E51000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4476-81-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/4476-83-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/4476-84-0x0000000002980000-0x00000000029C6000-memory.dmp

            Filesize

            280KB

            Download