Overview

overview

7

Static

static

7

12ca441214...28.exe

windows7-x64

7

12ca441214...28.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 21:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12ca441214f271cf409e0582b2809b28.exe

  • Size

    348KB

  • MD5

    12ca441214f271cf409e0582b2809b28

  • SHA1

    2df857169e72b58e84e89642fd596b564cb07d27

  • SHA256

    c26a9d19846f75bf43a6880c605f8b68b08bf25339ef0bb1d00c8bcce88d1546

  • SHA512

    996b668463bffc7ee7858e99780ba70ddb027831afaf5d65f20512bde707f3a14b8420f9b2dedb2674f27de6a1ac078f4ccbb151c30f79eff734df61f55fc80f

  • SSDEEP

    6144:ElZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76lLI2Wl7IdhMCwyF59:EHLUMuiv9RgfSjAzRty4lsdzdF59

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12ca441214f271cf409e0582b2809b28.exe
    "C:\Users\Admin\AppData\Local\Temp\12ca441214f271cf409e0582b2809b28.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      C:\Users\Admin\AppData\Local\Temp/server.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\server.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1632
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\server.exe
      Filesize

      78KB

      MD5

      b9ed7bf5e568ffbf2fa11fb92970bb97

      SHA1

      5c60880db01c7ea10b9b2b0566b8b754ec9c9378

      SHA256

      bc4cb4a63d774a141bede552579db236bd06234092016d86a5e421c713b58d58

      SHA512

      0785d0a24c11c4d7252f9ea55d3ec57221dd91aadaeff89a6d478c01f7f14e918aa0f14feae38c93bb60096e0353995ed9d0dcc7427eb328f3b09f9f1cc78012

      Download Submit

    • memory/1632-16-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1632-15-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1632-12-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1632-18-0x0000000010000000-0x0000000010012000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1632-22-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3520-19-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3520-17-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4996-0-0x0000000000400000-0x00000000004B8000-memory.dmp

      Filesize

      736KB

      Download

    • memory/4996-9-0x0000000000400000-0x00000000004B8000-memory.dmp

      Filesize

      736KB

      Download