Overview

overview

8

Static

static

7

766ee6dc58...0b.exe

windows7-x64

8

766ee6dc58...0b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    127s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    766ee6dc582d9b2d41a71682c0c1110b.exe

  • Size

    260KB

  • MD5

    766ee6dc582d9b2d41a71682c0c1110b

  • SHA1

    e0bbf07fffe3c335379b2e2c4b8c775bd9862216

  • SHA256

    774cce6d84e36ac0686ecddd48aea659b701d44d24ed0b1d9e5eb1d900832d2d

  • SHA512

    117ee59dada19fb95d097103d315658b71246f2399f0c5ec5e3708363e8976af9f26349fd2400710f85f7e1bf418e452e78ae4d479f1e2c68491122e4e61e334

  • SSDEEP

    6144:D7JyLfvkJAuZ9xqtc6sgjpCr1qT612UEqYcj9ZsaBSEV:D7wfvcAu5qJKETqnY+bs47V

Score
8/10
persistenceupx

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\766ee6dc582d9b2d41a71682c0c1110b.exe
    "C:\Users\Admin\AppData\Local\Temp\766ee6dc582d9b2d41a71682c0c1110b.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\766EE6~1.EXE" > nul
      2⤵
      • Deletes itself
      PID:2392
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "porting"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\windows\system32\f761832.dll, Launch
      2⤵
      • Loads dropped DLL
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\f761832.dll
    Filesize

    610KB

    MD5

    442b5ee0c448c3075c67a840e40f0d6f

    SHA1

    2b3d1d6ccbd33648624fb59de44af6b1f1b110c4

    SHA256

    0d8af34aaa04decb21b384a57e6bad784d1428a745c9be5db90f49d12f132922

    SHA512

    379912fa9a079cd98ccc8bbdea5d097be2cd28d99817b47653ab3c4eaf9c7496dfe2a61c0288afce576b646b2593ec1d6cbde0934262100eff314d6e7d1fb9c1

    Download Submit

  • \Windows\SysWOW64\f761832.dll
    Filesize

    384KB

    MD5

    451af688624f13e24e710b3cb20d8f4f

    SHA1

    c6f4e35b2620321fe2771c9d75c43d1b76989896

    SHA256

    73d37344e9cd3587f51e9dcbbdfb2c79588d9cb0134af2cf2f1d9030e4b0a3d4

    SHA512

    105af6a3304f7e87eff78e9d9b316022c86688d40e3a52c083224421b8decd1a0ef8059e2c5c471a149ba609f7b7f487ee20573282e9ac7359f8b5da5fc5e39a

    Download Submit

  • \Windows\SysWOW64\f761832.dll
    Filesize

    92KB

    MD5

    5ce9268e2ab8e17fea467de28aa754c1

    SHA1

    8179333fb17a0532e05cab63ff8e1bcf62812f49

    SHA256

    edd7d7f2610aa1f0842bde97234d53ecfae162c4959009eec89592840b30344a

    SHA512

    69ba3787ea3b3e9b8e995fb2173590d83c34d663f2e662c0710884510a009e0a47ff544f772f39bad32daf54db40df376c17ae28f5ae8014c2498407b34d2c0e

    Download Submit

  • memory/2000-0-0x00000000009C0000-0x0000000000A6B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/2000-7-0x00000000009C0000-0x0000000000A6B000-memory.dmp

    Filesize

    684KB

    Download