Overview

overview

8

Static

static

3

0dfde1a4c8...ea.exe

windows7-x64

0dfde1a4c8...ea.exe

windows10-2004-x64

Analysis

  • max time kernel
    40s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 07:14

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    0dfde1a4c8f38abc290a7e4ad757edea.exe

  • Size

    1.6MB

  • MD5

    0dfde1a4c8f38abc290a7e4ad757edea

  • SHA1

    a267435dd6ed2994325bf13f88710e48088b0a31

  • SHA256

    f0062067c120a8f25766476d9155dbfb0a76845a395b24b810bca895b110f735

  • SHA512

    47c479981b786201eaceed43fbb382135c038067eb1495d431ea3ea712f99e2e32dc23cbbfa34b8a47d09b500fc6b817f7d6b4ba01918d2b745a83e353382d07

  • SSDEEP

    49152:YzP7qZDJfRuuDO3AWHGqB8NNOyeDrmQ0w13:YsuIwmvNNE/50w13

Score
8/10
evasionpersistenceupx

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 28 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0dfde1a4c8f38abc290a7e4ad757edea.exe
    "C:\Users\Admin\AppData\Local\Temp\0dfde1a4c8f38abc290a7e4ad757edea.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Local\Temp\°×½ð°æ.exe
      C:\Users\Admin\AppData\Local\Temp\°×½ð°æ.exe
      2⤵
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im kavsvc.exe
        3⤵
        • Kills process with taskkill
        PID:2996
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im KVXP.kxp
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2800
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Rav.exe
        3⤵
        • Kills process with taskkill
        PID:2920
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Ravmon.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3012
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Mcshield.exe
        3⤵
        • Kills process with taskkill
        PID:3020
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im VsTskMgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3036
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im 360tray.exe
        3⤵
        • Kills process with taskkill
        PID:3016
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im kavsvc.exe
        3⤵
        • Kills process with taskkill
        PID:2748
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im KVXP.kxp
        3⤵
        • Kills process with taskkill
        PID:3060
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Rav.exe
        3⤵
        • Kills process with taskkill
        PID:2876
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im VsTskMgr.exe
        3⤵
        • Kills process with taskkill
        PID:2596
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Mcshield.exe
        3⤵
        • Kills process with taskkill
        PID:1524
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Ravmon.exe
        3⤵
        • Kills process with taskkill
        PID:2884
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im 360tray.exe
        3⤵
        • Kills process with taskkill
        PID:2532
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im kavsvc.exe
        3⤵
        • Kills process with taskkill
        PID:2756
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im KVXP.kxp
        3⤵
        • Kills process with taskkill
        PID:2804
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Rav.exe
        3⤵
        • Kills process with taskkill
        PID:2820
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Ravmon.exe
        3⤵
        • Kills process with taskkill
        PID:2816
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Mcshield.exe
        3⤵
        • Kills process with taskkill
        PID:2808
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im VsTskMgr.exe
        3⤵
        • Kills process with taskkill
        PID:2888
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im 360tray.exe
        3⤵
        • Kills process with taskkill
        PID:1732
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\system32\reg.bat
        3⤵
          PID:2184
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im kavsvc.exe
          3⤵
          • Kills process with taskkill
          PID:1908
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im 360tray.exe
          3⤵
          • Kills process with taskkill
          PID:1060
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im VsTskMgr.exe
          3⤵
          • Kills process with taskkill
          PID:1880
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im Mcshield.exe
          3⤵
          • Kills process with taskkill
          PID:2312
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im Ravmon.exe
          3⤵
          • Kills process with taskkill
          PID:536
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im Rav.exe
          3⤵
          • Kills process with taskkill
          PID:2444
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im KVXP.kxp
          3⤵
          • Kills process with taskkill
          PID:1904
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:2280
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:2068

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\°×½ð°æ.exe
          Filesize

          279KB

          MD5

          19f0ac3ce0b42d689ead4cb55a94242c

          SHA1

          c5ebdd3f9f8b020a3fe53ffa34ce88caa0b9ba5a

          SHA256

          aa22b1b1c8a288b3d425c91f7a246a8241deb1276407255b26dd620780f2ecc6

          SHA512

          9e44378ef8e4c680c1d543adb1ceae6a44099adc90523eb9ed7213ab17c6231e2024bfc3b4a7c0a12f24fc582a1138d74b17dba9b7a0833e9328750f27341161

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\°×½ð°æ.exe
          Filesize

          390KB

          MD5

          58a0997fe7b5470bbb3874cb164cf838

          SHA1

          1f96222024969d041f018a62f668cfc69d7b6eb4

          SHA256

          3ccfa97ee98d8e8a618f910f844c4408b919809d183da1182f4026131bd0864b

          SHA512

          ff99764ec04812b72a3e92d0e1b19775c3f44968c9c2b5098a8b63404bea5770478bfcdea89f579a4243bf6e9a064a685f7cb2de1ab952fd9429fb50aac412ff

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\°×½ð°æ.exe
          Filesize

          715KB

          MD5

          938d0bae2b14225de22b653dfeef9df2

          SHA1

          5cd3f7126289e2ac006601c92660f794952ec7b0

          SHA256

          a9518b6a301e2fe9105d2d9de04dbb5e219594417ac8a12566022aeeed53dd83

          SHA512

          f2eab90ab68bd5c925315884599632a016d97663cc491e9511848cacfafed589a2629bbb8f8b0b988baf4dfcd7b52a390cb0883eb8c2412264e9014473b0bb5b

          Download Submit

        • C:\Windows\SysWOW64\reg.bat
          Filesize

          139B

          MD5

          90fe0b90fc4efc1404e0150be44b05f6

          SHA1

          96e8e6b4feef165e52483e801cf4c27d48f6c19b

          SHA256

          fafd0784ebe06ac5677becf743a5391f153e03814b79140e6802b444fd49237b

          SHA512

          ad0e6b791123ae967342c864ee01aa7ae73b699b88eb53813b316df3064da6c3727bef31b279cb4eed7a18e9abacf9c3b0f0c0e4fea5077bce06480013fbfe51

          Download Submit

        • \Users\Admin\AppData\Local\Temp\°×½ð°æ.exe
          Filesize

          238KB

          MD5

          3010b14f7fce59ed42f7f62558752272

          SHA1

          88248f316fc56f5002908611fd336755fdc4b4d5

          SHA256

          e999e0759c69fab75fe58d03c9fc6dff2d6367404685da80245728da338ae4d4

          SHA512

          bcd77f05acb207cb98f28e809f7204046c3539dad0854cf86532c6480d8eabced8cac7935af4d8f5b3225e0568cdd11fcfb48201e991805488d6b637892d98e0

          Download Submit

        • \Users\Admin\AppData\Local\Temp\°×½ð°æ.exe
          Filesize

          201KB

          MD5

          1f860b13fac0842a45add47ddcd40c26

          SHA1

          dcf9b2fa74331a67f9c9123f3676779a25d02313

          SHA256

          9e44bf6013cc67fc4759a92e6c105b98a16fad8776a2ef351de216455c2dda4d

          SHA512

          0ea160c04d065bae0d0626a6c07f5ffb5a2913f8381d9c44218b0af852829d167271cb9a2aa4f81795f11aee9ea275981823c22533eb9cb96acb20ed302d4129

          Download Submit

        • \Users\Admin\AppData\Local\Temp\°×½ð°æ.exe
          Filesize

          157KB

          MD5

          093f5140d9d7e3453f8a0838c8bc225a

          SHA1

          2f1fa329d2f13526662be203d425d83057aff0f5

          SHA256

          210d7ada73dfaf339357318df05b0c68423d480ff06a6392f6833eca2cc44251

          SHA512

          579843aa4b61edbd4f551ba5d0be24924a881722f6e922e1dda49c0e59758dd85125e858fdd4be6bc443b06fc2cc97d9910bcf2aa07c776f891ad0622a589dbf

          Download Submit

        • \Users\Admin\AppData\Local\Temp\°×½ð°æ.exe
          Filesize

          997KB

          MD5

          eb3cc071b8b891548e5010e1b85a9612

          SHA1

          32c5fc77802abf3af1b2285f9556bdd67a977fb9

          SHA256

          0903e21b8b17b066a61fbe90ba38c03969b62b83f3dcac16edc037b7b9b620cd

          SHA512

          d49b5f8311e343be542b07d6e476427061022cc1561f2b8686a7b02c1cf95c116399b1f0d14508093d80305b326ac04d46442bb867aad65a50e0c677cb5109df

          Download Submit

        • \Users\Admin\AppData\Local\Temp\°×½ð°æ.exe
          Filesize

          653KB

          MD5

          6bc29e618bacc858318b89c57caadf7e

          SHA1

          99897babe6673217699e2674509523894ecbde49

          SHA256

          172a44ec28a921ddce95591d0a833558b05cfababc9f67a29fc1164808816a50

          SHA512

          f6d658680090cfe8789d923cadf34fcd2af7fbfc1708846fdf9c1b33a3533501c43c7267a8edbbc2db28f10ef0ff18fe717879f566870b85ff115a115ee44f01

          Download Submit

        • memory/1736-46-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-42-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-17-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-20-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-22-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-83-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-25-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-28-0x0000000000D90000-0x00000000011E8000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1736-30-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-27-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-34-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-32-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-36-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-15-0x0000000000400000-0x0000000000858000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1736-52-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-54-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-50-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-48-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-44-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-16-0x0000000000D90000-0x00000000011E8000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1736-40-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-38-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-62-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-64-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-66-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-60-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-58-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-56-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-23-0x0000000010000000-0x000000001003D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1736-21-0x00000000001D0000-0x00000000001D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1736-19-0x0000000000D90000-0x00000000011E8000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1736-67-0x0000000000400000-0x0000000000858000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1736-82-0x0000000000400000-0x0000000000858000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/2068-88-0x0000000002760000-0x0000000002761000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2092-10-0x0000000003490000-0x00000000038E8000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/2092-24-0x0000000003490000-0x00000000038E8000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/2280-81-0x00000000029C0000-0x00000000029C1000-memory.dmp

          Filesize

          4KB

          Download