Overview

overview

10

Static

static

5

06d2ff9a91...3d.exe

windows7-x64

10

06d2ff9a91...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06d2ff9a91b1eff161615886259a513d.exe

  • Size

    994KB

  • MD5

    06d2ff9a91b1eff161615886259a513d

  • SHA1

    99725449e7540632e8ccaa9b319c7248bb38b2a1

  • SHA256

    67d21e6f78c0c86ff08395258f5b9f078b00aa04ee394eb26d5bce67f7ba0809

  • SHA512

    5f6c9107e499c15d44c4b9218c8cffdee55ec0e11b0932f08ceb68bcc94f67f073155646f6ad5135ed2c6917f07ada03b772a9aacef75a8fe1b9e9596eb76c54

  • SSDEEP

    12288:raWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8nTfGDMHRH0IkEEJBPo7IAyUEXQZQ:eaHMv6CorjqnyC8T+DMxKEEJ+7IAlEB

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06d2ff9a91b1eff161615886259a513d.exe
    "C:\Users\Admin\AppData\Local\Temp\06d2ff9a91b1eff161615886259a513d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Drivers directory
    • Drops startup file
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aut4680.tmp
    Filesize

    272KB

    MD5

    6c363adb2d5827b24ac062ff82edf450

    SHA1

    166db4227c62e1650d1bbdb9257bc149458f594a

    SHA256

    fecb25d604983f0d78066328a59c0ef81e99f7f20a16b1c43378a10d4c625f50

    SHA512

    25da9c793447418e200aef2eee8b1b042f372f807850b2f8165224033762716e514beaad888c0c68ca7ab69b09b2e9dc0f0dd32dd78fe6008f586e4b895cfda2

    Download Submit

  • C:\Windows\YahooMessenger.exe
    Filesize

    994KB

    MD5

    06d2ff9a91b1eff161615886259a513d

    SHA1

    99725449e7540632e8ccaa9b319c7248bb38b2a1

    SHA256

    67d21e6f78c0c86ff08395258f5b9f078b00aa04ee394eb26d5bce67f7ba0809

    SHA512

    5f6c9107e499c15d44c4b9218c8cffdee55ec0e11b0932f08ceb68bcc94f67f073155646f6ad5135ed2c6917f07ada03b772a9aacef75a8fe1b9e9596eb76c54

    Download Submit

  • C:\Windows\autorun.inf
    Filesize

    164B

    MD5

    d2c1073a6dc43f12a42cf9fdf8414066

    SHA1

    23021985503261efb35ab99669ff0236c3183f30

    SHA256

    9355f534eb683599a58416d1a4dd7de423dc871b8629600be22cd0ef42bf8903

    SHA512

    ab27ff76c0588626458eee580485bd64ae6f528964a9dcf9bf322b6a80672d21d6671cd17e634c56a3edc60dbc5265e48975e5a8092d450a5a74886a78c878aa

    Download Submit

  • memory/3856-0-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download