Overview

overview

10

Static

static

3

1458b9f5cf...af.exe

windows7-x64

10

1458b9f5cf...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1458b9f5cfa980d057da25e3ca2e61af.exe

  • Size

    548KB

  • MD5

    1458b9f5cfa980d057da25e3ca2e61af

  • SHA1

    8d70149a00226cbc0787b9c1a00f419400d00672

  • SHA256

    5b3635af5764de1c8f2b690d2814f76bfb4b3229e8d17681c6459bf7806ddfd9

  • SHA512

    0d71f32c63cee7ad714a9b38178628bb041a616a07475b3020c2351f33cacfe697891c153a070a281a0a29e71291d462603106f4364040ac6f6e3d8e235212a2

  • SSDEEP

    12288:AbEtWoMZfaFtuKo5qKMnLYuyqnzN+y1kz1LxCOAwst:sloUf+o5qJnV9+y1IXs

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 17 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1340
    • C:\Users\Admin\AppData\Local\Temp\1458b9f5cfa980d057da25e3ca2e61af.exe
      "C:\Users\Admin\AppData\Local\Temp\1458b9f5cfa980d057da25e3ca2e61af.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Users\Admin\jyCd5od0b9.exe
        C:\Users\Admin\jyCd5od0b9.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:784
        • C:\Users\Admin\kooanu.exe
          "C:\Users\Admin\kooanu.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:3032
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del jyCd5od0b9.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2724
      • C:\Users\Admin\3aag.exe
        C:\Users\Admin\3aag.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1868
        • C:\Users\Admin\AppData\Local\c1d0fc3f\X
          *0*bc*8cf5e053*31.193.3.240:53
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1428
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
            PID:1808
        • C:\Users\Admin\2aag.exe
          C:\Users\Admin\2aag.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2708
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del 1458b9f5cfa980d057da25e3ca2e61af.exe
          3⤵
          • Deletes itself
          PID:304
    • C:\Windows\system32\csrss.exe
      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
      1⤵
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:340
    • C:\Windows\SysWOW64\tasklist.exe
      tasklist
      1⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Users\Admin\2aag.exe
      "C:\Users\Admin\2aag.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 88
        2⤵
        • Loads dropped DLL
        • Program crash
        PID:1788
    • C:\Users\Admin\2aag.exe
      "C:\Users\Admin\2aag.exe"
      1⤵
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2152
    • C:\Users\Admin\2aag.exe
      "C:\Users\Admin\2aag.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1240
    • C:\Users\Admin\2aag.exe
      "C:\Users\Admin\2aag.exe"
      1⤵
      • Executes dropped EXE
      PID:1836
    • C:\Users\Admin\2aag.exe
      "C:\Users\Admin\2aag.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2736
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      1⤵
        PID:656
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        1⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1056
      • C:\Windows\system32\wbem\WMIADAP.EXE
        wmiadap.exe /F /T /R
        1⤵
          PID:2836
        • C:\Windows\system32\wbem\wmiprvse.exe
          C:\Windows\system32\wbem\wmiprvse.exe -Embedding
          1⤵
            PID:2088

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\2aag.exe
            Filesize

            128KB

            MD5

            2b4ee5d4acacc3528ba7c3a58bd29c41

            SHA1

            81b91ba52c39da729feecf26c02798b981662448

            SHA256

            78c58e327fb0dbc782ba27eabb7ba2765c20d9ac44df3460e6059d0c97c0ad12

            SHA512

            fde7b774c2853664c2d97baba56df64ce38c56104cd0c6f2702730f69c1db6f8b8e03856e125d92e1bc737dad2f9dd1f0f5cad565e5cd4cd093be93da8d8d965

            Download Submit

          • C:\Users\Admin\3aag.exe
            Filesize

            96KB

            MD5

            61d449b963d0c9dc3b2fd741795c8216

            SHA1

            37ef13830080de172477b83085695261cbc0e7bb

            SHA256

            2ca2871c9c0129bf224cdad694e8a515a143951e2e6c635d6a2a9a2ebfd22d34

            SHA512

            437c7d1dc802606d470269d5b88cf368e11a3cea61d4f60e0aeb43950acf901d4d1af60d845986ae5af1a33b665acbf522db58982199587ffc1abd6f156eb973

            Download Submit

          • C:\Users\Admin\kooanu.exe
            Filesize

            93KB

            MD5

            1b7fdb06f7f4b23abfb7771e655cf31f

            SHA1

            790bad51bbbb067cfafbd30ececd3e869fe3b6de

            SHA256

            edc88586e518b59f701bb61bb788429809a24f8f1d97e01b9100a81434ce3e10

            SHA512

            60257891c6ed82b02ff56a44aa388006638d585a38d350d06d7730db1544dc78636cd4907699616a9b4d660f8fcf0c6577dbc87cd3472391c288711d65efae57

            Download Submit

          • \Users\Admin\jyCd5od0b9.exe
            Filesize

            260KB

            MD5

            b0c9b92f068e2ac7770334e56e0c5017

            SHA1

            4d73d45c04e4e8af4fa81403d812fac1b94a75c0

            SHA256

            6a1fbc078e3b75354607179c7af71cdc80e40d5a787929fe9d174998a7b75888

            SHA512

            0d08f35abc9363db287449953a23d69f49bb11a2755378b82b66acba07f2588acce85a2f0f9c7a1fbdc7e049507ff5293e9ec33fc8cc847c860c80bb39c8c26a

            Download Submit

          • \Users\Admin\kooanu.exe
            Filesize

            98KB

            MD5

            ad3ba89f897a0df602ce9f12f0b27673

            SHA1

            72f8b1bdd74dda621a3ef23a6e053bb5ccc227ac

            SHA256

            8c0333c0bfe7f8d447789ce8ca7918661643f931acdd2eb0691162cbc5270e01

            SHA512

            cf86a661a93183721ecf3cc7b87f5e075340cbe0b3978a2592010e7a574c65be87fcea715d492dd1ad82b63b3f055b6f63695d9f9b07b03e29ae9d136345b42e

            Download Submit

          • \Users\Admin\kooanu.exe
            Filesize

            260KB

            MD5

            769bed66af8832b1bf53ee44a582be58

            SHA1

            47a616ec58a3a2edb6e11001830c0fb56b13dc5d

            SHA256

            b9e4ede93a41f2a9304d9d3217f0fab65f22dce110bbc5acf9490fdb48f0b463

            SHA512

            1c2c7573645ccc1b9748cd3b4ffb5f9332a2bbe88b1b2ea49235b869a6f78a57ec5a529bc1c9ab0cbf235e839a8c3057b5e7369be79a494e3dbc294cf61011f1

            Download Submit

          • \systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
            Filesize

            2KB

            MD5

            0aea8f4a7e1249d8371b302cfeee61bc

            SHA1

            d6b56649e7cfeb4f5e99d8b02f647d3829eb6bfb

            SHA256

            e16f78b590bc5107fca8d426de5f638974bd11d492d98e28ce5c1f732bc8558c

            SHA512

            5c120746c4596f4a978d81d08dcc729c8dd847d3a0db0a65dbf082139b0e462360367ac796199e75b2777d13034cb87cd4d3d653be211af1180cab763552cb75

            Download Submit

          • memory/340-174-0x00000000029F0000-0x00000000029F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/340-137-0x0000000000E90000-0x0000000000E9B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/340-144-0x0000000000E90000-0x0000000000E9B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/784-26-0x0000000003580000-0x000000000403A000-memory.dmp

            Filesize

            10.7MB

            Download

          • memory/1240-102-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1240-168-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1240-99-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1240-86-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1240-101-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1240-93-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1240-89-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1340-127-0x0000000003250000-0x0000000003256000-memory.dmp

            Filesize

            24KB

            Download

          • memory/1340-178-0x0000000000E90000-0x0000000000E9B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1340-123-0x0000000003250000-0x0000000003256000-memory.dmp

            Filesize

            24KB

            Download

          • memory/1340-131-0x0000000003250000-0x0000000003256000-memory.dmp

            Filesize

            24KB

            Download

          • memory/1340-158-0x0000000000E90000-0x0000000000E9B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1340-159-0x0000000003280000-0x000000000328B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1340-132-0x00000000029F0000-0x00000000029F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1868-121-0x0000000030670000-0x00000000306C2000-memory.dmp

            Filesize

            328KB

            Download

          • memory/1868-122-0x0000000000410000-0x0000000000510000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1868-176-0x0000000030670000-0x00000000306C2000-memory.dmp

            Filesize

            328KB

            Download

          • memory/1868-170-0x0000000000410000-0x0000000000510000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1868-169-0x0000000030670000-0x00000000306C2000-memory.dmp

            Filesize

            328KB

            Download

          • memory/2152-163-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2152-85-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2152-81-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2152-87-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2152-70-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2152-82-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2152-77-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2152-72-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2152-74-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2496-67-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2496-64-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2496-58-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2496-52-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2496-69-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2496-50-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2496-68-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2736-39-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2736-43-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2736-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2736-162-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2736-41-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2736-53-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2736-57-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2736-55-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2736-140-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2736-47-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download