Overview

overview

10

Static

static

7

5993c15c99...c2.exe

windows7-x64

10

5993c15c99...c2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 06:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5993c15c990cd83a710fd7d3ee002cc2.exe

  • Size

    410KB

  • MD5

    5993c15c990cd83a710fd7d3ee002cc2

  • SHA1

    1640b39c1e34e83f6f3245a7982336633067c3a2

  • SHA256

    c6412c3920a5e5e958e9a73d4da2e0593a7fee9d95a4afc4a0385110c5d0c3c7

  • SHA512

    75ee36f9fc531ce83149cd6ac90f810b4506be75329aea8379d67a267327ab7d39a712f29a44d3f7798fb44efeea4aad65fe0f3ef03b34d6731c682c1c4263c7

  • SSDEEP

    6144:zknN4CVUIm6uk06ZLYgvBA+8xmrxgmA+3cclptVopA/c0/uAIehqEqxBJBBgDjML:gnNhuBoY8SorxgmA+nlvVl/c0j8nBqML

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5993c15c990cd83a710fd7d3ee002cc2.exe
    "C:\Users\Admin\AppData\Local\Temp\5993c15c990cd83a710fd7d3ee002cc2.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visiblity of hidden/system files in Explorer
    • Adds policy Run key to start application
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Windows\SysWOW64\csrcs.exe
      "C:\Windows\System32\csrcs.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 -w 250 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:4964
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3496
  • C:\Windows\SysWOW64\PING.EXE
    ping -n 5 -w 250 127.0.0.1
    1⤵
    • Runs ping.exe
    PID:628

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\chksqvb
          Filesize

          94KB

          MD5

          2a3ed75f63103f7ca4343207c95d8b13

          SHA1

          27f73f1ab7f81fbbaa6c31535a5cfaa20687efd8

          SHA256

          0dd8aba17ab8c1b7bed2560fc5ad1045b468ae5b9a52656e88b2c7113c06fa46

          SHA512

          c9b1c7c6cb33ea922fea77baa4539e4e530a31137536b86a31c6dfc751167c8ec1a681103892134a84514c9d8e86133933ab08f309e96acc19bdc8d8070a3287

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\suicide.bat
          Filesize

          141B

          MD5

          9d7ddbc6c331aefed77908f803fca1e5

          SHA1

          d36afa796236730342b216f083c68a39227c13bf

          SHA256

          19f0453504f36aef7d207f11345ed203440a3a8dd1594df1aa072b2f4eeb39bf

          SHA512

          014c7cb15ec0bfc96e1f5b5a66b0bba9b87440256d0e8d9106cef8c4d2f1d244a3063a7abb847957310b2e0c9db466291851d7bb2ff8e6b50e0b9ad907b9b54c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\suicide.bat
          Filesize

          223B

          MD5

          fc54653aa38bf4638767e1d626b68136

          SHA1

          ec27d540f3575a91cc7b72e790f2a75df101cf18

          SHA256

          4d2732e04831aa21b924b8cfedf09f0b6ac11e07061cf352c3e5616bf6af014b

          SHA512

          ad05594852a0e41006e5646495e5918f826260ac1f84c7ecf9cb1b1bda984596666c8d02edd6f8d6ed967560ac4a1058bea9c360b49b7873b6566dcf2519e3bc

          Download Submit

        • C:\Windows\SysWOW64\csrcs.exe
          Filesize

          68KB

          MD5

          f32ac35186696431d8cb03dcf720031c

          SHA1

          7d80a6bca38edb5b09db17f7103143d81de217ee

          SHA256

          6cc2e5c46f35339381bd60df6eb2549c32943c84415ec40fc4f7745e7494c495

          SHA512

          095f7956c5235512ce0b1f1b2cf6f6e2868aa656b57ea49cc2ca50f9bcde6a97d1df098cc391a73d58cfa877fd7363ff93613c848fdc4468262f5a1bc33a6a8b

          Download Submit

        • C:\Windows\SysWOW64\csrcs.exe
          Filesize

          410KB

          MD5

          5993c15c990cd83a710fd7d3ee002cc2

          SHA1

          1640b39c1e34e83f6f3245a7982336633067c3a2

          SHA256

          c6412c3920a5e5e958e9a73d4da2e0593a7fee9d95a4afc4a0385110c5d0c3c7

          SHA512

          75ee36f9fc531ce83149cd6ac90f810b4506be75329aea8379d67a267327ab7d39a712f29a44d3f7798fb44efeea4aad65fe0f3ef03b34d6731c682c1c4263c7

          Download Submit

        • memory/3208-0-0x0000000000400000-0x0000000000492000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3208-85-0x0000000000400000-0x0000000000492000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4332-81-0x0000000000400000-0x0000000000492000-memory.dmp

          Filesize

          584KB

          Download