Overview

overview

8

Static

static

7

0c44ce4c90...67.exe

windows7-x64

8

0c44ce4c90...67.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 06:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c44ce4c90f3317d564ea936c9b12567.exe

  • Size

    27KB

  • MD5

    0c44ce4c90f3317d564ea936c9b12567

  • SHA1

    b392b9c08d3d371b1551c7c4b0f0ab029d181284

  • SHA256

    75f2ff8c7d002fc1134702ad696a93320a6e36306280d4319d4c6f7100a15f13

  • SHA512

    acafe409a7a57df5a9b3f176a9b33a4778a3f335cbc602a08e35bbb4c09016998d32c87787c26bd53b4bc4b43f08f61db119badecafab22e2f3847fd72ba40aa

  • SSDEEP

    768:KRGuY2P0Vo6r7SiAwyrMRjba27bonbcuyD7UhO:sPcVo6r7S/raba2Xonouy8hO

Score
8/10
evasionupx

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c44ce4c90f3317d564ea936c9b12567.exe
    "C:\Users\Admin\AppData\Local\Temp\0c44ce4c90f3317d564ea936c9b12567.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\83C0.tmp\win21.bat" "
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Windows\SysWOW64\sc.exe
        sc stop sharedaccess
        3⤵
        • Launches sc.exe
        PID:2756
      • C:\Windows\SysWOW64\ftp.exe
        ftp -s:C:\WINDOWS\c5.dat
        3⤵
          PID:2272
        • C:\Windows\SysWOW64\sc.exe
          sc start sharedaccess
          3⤵
          • Launches sc.exe
          PID:2840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\83C0.tmp\win21.bat
      Filesize

      397B

      MD5

      79b810bb68854c8f0a4d0ebc001fd671

      SHA1

      09281b4bcee09313fad16d00ad8e5c177343e224

      SHA256

      8a5e1e4d2cf8ba28ba79a08d8e712b0f579dae22afb3899212cbfd2247c56c0e

      SHA512

      82bb83a8f59c5bd619f625a3d6a0d807caff0b966a0c9bbdb449fea85ec6399643f3fddf88bae604782a444b4dea4adb538ec7a3e17913f314a92e4fd1b8eedc

      Download Submit

    • C:\WINDOWS\c5.dat
      Filesize

      103B

      MD5

      2b5b5d0d618c8d653a93cc27c57872ed

      SHA1

      eb7fb429b61bd0acb3d4e95fda3cb7884340ef29

      SHA256

      1e17e59714e36ff3d786da39bf073b14b048f821a47ae0954dd4609241987345

      SHA512

      d2ce77dc8cca3a4e0e1b643b8aa9bc76b4e1b2e81315f64ddcca9cd985902861a5561d93ba60a87767ec4388b920d8876e4b59261400dd9ee8d70d85ef1b17b6

      Download Submit

    • memory/2960-0-0x0000000000400000-0x0000000000415000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2960-26-0x0000000000400000-0x0000000000415000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2960-41-0x0000000000400000-0x0000000000415000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2980-33-0x0000000000630000-0x0000000000631000-memory.dmp

      Filesize

      4KB

      Download