Overview

overview

7

Static

static

7

045e629fbb...14.exe

windows7-x64

7

045e629fbb...14.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 04:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    045e629fbb1a43c1bfdf988d41b5bf14.exe

  • Size

    8KB

  • MD5

    045e629fbb1a43c1bfdf988d41b5bf14

  • SHA1

    ef3508517be2d070d5c3021656185217909b7f64

  • SHA256

    75408e98bf0af7fed03b17a2804f2abffd4387e73ca035df2b9f7525035f8433

  • SHA512

    ca88d692c0948dbdd205d8417506f81c67931cc0b72149447df78521d0820ed4189addbab4f54aca5fe0db28784397fbb3f129b82065b680dfc64f89809de81f

  • SSDEEP

    192:cHF7WRmbIR5ROwg6JQuEFaNJhLkwcud2DH9VwGfctlHO:QvyraaNJawcudoD7UC

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\045e629fbb1a43c1bfdf988d41b5bf14.exe
    "C:\Users\Admin\AppData\Local\Temp\045e629fbb1a43c1bfdf988d41b5bf14.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:736
    • C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\045e629fbb1a43c1bfdf988d41b5bf14.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8F7E.tmp\batchfile.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          4⤵
            PID:3624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\b2e.exe
      Filesize

      8KB

      MD5

      8139d424b0f39e20cadcc94028ec27c4

      SHA1

      24824dfba68875053b1c5623c7b028fbcd9612cb

      SHA256

      191e63937668e2db8d599140c0b66f2d4dca3a52a4c9d8fc2cbb625a66642cf6

      SHA512

      e167ed97c71449a3c75ca6d4e808d78f9998cd259d3ecb290fef9de46c99a04fc02aac652d105c0ad12705cebc24ffd02ae6cb64eb63dbe6e893fec4f2842506

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\8F7E.tmp\batchfile.bat
      Filesize

      59B

      MD5

      7e006b577f1ac3e6fa3bf0f9696de2ca

      SHA1

      fef244c3ca6fcf78341357b7041a4d10b54dcf4b

      SHA256

      9464cd9a92c1879d5c1cafaf6c601406559c491c0346e4db604c00ad9162713a

      SHA512

      2a53010c3d212a4d7473d8d8fabcd6e658acaaa21e823003d656f7333a280d9c983318ee3155382cef53d8106fdc36ccd2f4d500728fc94328f6059806b24313

      Download Submit

    • memory/736-0-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/736-11-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1248-9-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

      Download

    • memory/1248-15-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

      Download