Overview

overview

7

Static

static

7

44211f3bf5...2b.exe

windows7-x64

44211f3bf5...2b.exe

windows10-2004-x64

Analysis

  • max time kernel
    42s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 23:45

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    44211f3bf584a0b119a39450fa24cf2b.exe

  • Size

    23KB

  • MD5

    44211f3bf584a0b119a39450fa24cf2b

  • SHA1

    605cefb8eb5b39f15bd5350de18e0155961690b0

  • SHA256

    e8fe63b43481c39a8ec58d77ee57c6ff4a9211d942c05b62a66475f8d2fddd7c

  • SHA512

    1213e9036ee39b1f6002883a00969cf39e69a15d09b16c3317bbc5b8466673b24376313fbaa73f08bf3cc51b73851bb6a62315b9985d3603e90de06c2b7713c1

  • SSDEEP

    384:GbCEXMMADQIrUeNFwx9E5xtT6fkCMst8AdxIiv4dK8y8KG8szTO4Am7UnwtzwGKH:C1NAUsbxtT6sFst/3IrdlLUwG8Znbcut

Score
7/10
persistenceupx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44211f3bf584a0b119a39450fa24cf2b.exe
    "C:\Users\Admin\AppData\Local\Temp\44211f3bf584a0b119a39450fa24cf2b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DC08.tmp\bla - Kopie.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\SysWOW64\xcopy.exe
        xcopy setup.exe C:\Install\ /I /Y
        3⤵
        • Enumerates system info in registry
        PID:4980
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v NOPE /t REG_SZ /d C:\Install\setup.exe /f
        3⤵
        • Adds Run key to start application
        PID:2084
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown -s -f -t 8
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2732
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3992055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DC08.tmp\bla - Kopie.bat
    Filesize

    909B

    MD5

    116527ecda91d1b6dff211146661e38b

    SHA1

    6d789b8a0f8f3ab770ea62953f002f93dc7bde04

    SHA256

    f6f380baf766b1a9ec89dd1bfc133d21e9bb3879b64c552474ba7fbf0dd470e5

    SHA512

    3d10a3d00c2757e4d6321f4a7e9e787c8ae9d179d11b1056514e40ace6dcb5d4f942977070b5b3e9b88f826218251df88d92175402ce0089e5f24de1f83360ee

    Download Submit

  • memory/4056-0-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4056-4-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download