Overview

overview

7

Static

static

7

Comdlg32.dll

windows7-x64

1

Comdlg32.dll

windows10-2004-x64

1

Driver Magician.exe

windows7-x64

1

Driver Magician.exe

windows10-2004-x64

1

Help.chm

windows7-x64

1

Help.chm

windows10-2004-x64

1

Homepage.url

windows7-x64

6

Homepage.url

windows10-2004-x64

3

Mscomctl.dll

windows7-x64

1

Mscomctl.dll

windows10-2004-x64

1

Msinet.dll

windows7-x64

1

Msinet.dll

windows10-2004-x64

1

Tabctl32.dll

windows7-x64

1

Tabctl32.dll

windows10-2004-x64

1

XCEEDZIP.dll

windows7-x64

1

XCEEDZIP.dll

windows10-2004-x64

1

XceedCry.dll

windows7-x64

1

XceedCry.dll

windows10-2004-x64

1

run.exe

windows7-x64

7

run.exe

windows10-2004-x64

7

stdole2.dll

windows7-x64

1

stdole2.dll

windows10-2004-x64

1

xcdsfx32.exe

windows7-x64

1

xcdsfx32.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 19:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    run.exe

  • Size

    15KB

  • MD5

    eb18a2c0796877e4965407f89be51285

  • SHA1

    ee07ba313a81ba8d82b75c880d5d07ba8c229343

  • SHA256

    54c59ff7d8c1b87102fd2c6346eba2d14fa432ad3bb6898395fc01f499453cb5

  • SHA512

    2f9e452e2e81bd2437a8c8b4f95f9e0a8c5f61cc5f6957883955083dbd00c5a009b16edd1e49222bac60584a57ff9a134aab8ea027eeff6c70eda10e163c3404

  • SSDEEP

    384:d9Rm2X4m8xjIuzifUmSaNJawcudoD7Ut41tXWJQBKG:dnom81IuefDznbcuyD7U5K

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 36 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4268.tmp
    C:\Users\Admin\AppData\Local\Temp\4268.tmp C:\Users\Admin\AppData\Local\Temp
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\Driver Magician.exe
        "Driver Magician.exe"
        3⤵
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:5052
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Driver Magician" /v "Backup option" /t REG_SZ /d "BckFolder" /f
        3⤵
          PID:1576
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Driver Magician" /v Version /t REG_SZ /d "3.27" /f
          3⤵
            PID:3484
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Driver Magician" /v serialnumber /t REG_SZ /d "DBP-L&32ADE7" /f
            3⤵
              PID:2380
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\Driver Magician" /v username /t REG_SZ /d "Your User Name" /f
              3⤵
                PID:4480
          • C:\Users\Admin\AppData\Local\Temp\run.exe
            "C:\Users\Admin\AppData\Local\Temp\run.exe"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2868

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\4268.tmp
            Filesize

            14KB

            MD5

            08a6fab23d6fc66941c579379edc00f0

            SHA1

            d261b462620724b546a572a3120908c3bec0e787

            SHA256

            1bfac0efe484142486a7de1c720f0d8be2e6f3703c275eb7f7fcb40377c7f55a

            SHA512

            1d2691b0f209b41ffee3a868f654088da90e4ebc966595f54b0dc8f5288495cba34c92272c73733d43040a319f195d7de87bf89d8a276545e29a71eab5949291

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat
            Filesize

            470B

            MD5

            7c89b688eeaab4ecc116970f88067a11

            SHA1

            19953d26883237b85865e80b309ca7bb305ab55e

            SHA256

            90a79cf4dcd02beba86b29cd7e59452917d4eb780a3f5853ff090edfa894f0ce

            SHA512

            2b928dd916ba2b64e65d53fbeaf39459073184ed9b23f325a5ea8e459a9d99b115077ecc5cd72e3dc5e5eb66a58bfa1eea1e2e693106921af715f9f753205b81

            Download Submit

          • memory/2868-0-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2868-8-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/4908-5-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4908-14-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

            Download