Overview

overview

10

Static

static

3

74803c97b5...41.exe

windows7-x64

10

74803c97b5...41.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74803c97b5e6054b511e635cbfd39141.exe

  • Size

    460KB

  • MD5

    74803c97b5e6054b511e635cbfd39141

  • SHA1

    416bf634b6783737e54c11d82fcd48533a3307de

  • SHA256

    5be35a8bdb8e5f368f3a4637b23cfc7434fc422af605b87d36c01ff6c9bf76b6

  • SHA512

    36ba2d1e751ead945c2c49a5f921f8e407f556c190cbe38ff6f4841536587cc47336f252adfb410eb678349305586fd6047e7c2fb3698c503452d15fd3832968

  • SSDEEP

    12288:OlSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:OlSt69HNx6T/5xT

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 14 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:336
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:852
    • C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      2⤵
        PID:492
    • C:\Users\Admin\AppData\Local\Temp\74803c97b5e6054b511e635cbfd39141.exe
      "C:\Users\Admin\AppData\Local\Temp\74803c97b5e6054b511e635cbfd39141.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Users\Admin\iBdqphzke5.exe
        C:\Users\Admin\iBdqphzke5.exe
        2⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del iBdqphzke5.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2728
        • C:\Users\Admin\xvgib.exe
          "C:\Users\Admin\xvgib.exe"
          3⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2708
      • C:\Users\Admin\dstat.exe
        C:\Users\Admin\dstat.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2324
      • C:\Users\Admin\astat.exe
        C:\Users\Admin\astat.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2620
      • C:\Users\Admin\fstat.exe
        C:\Users\Admin\fstat.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
            PID:2532
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del 74803c97b5e6054b511e635cbfd39141.exe
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2132
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1368
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        1⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2632
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 88
        1⤵
        • Loads dropped DLL
        • Program crash
        PID:2436
      • C:\Users\Admin\astat.exe
        "C:\Users\Admin\astat.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2520
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        1⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2228
      • C:\Windows\system32\wbem\wmiprvse.exe
        C:\Windows\system32\wbem\wmiprvse.exe -Embedding
        1⤵
          PID:636

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\astat.exe
          Filesize

          60KB

          MD5

          87c6498966e3f85fac743c89050aa312

          SHA1

          05c165c34cbfa14e4925c33ace81992b0f50a2b5

          SHA256

          30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

          SHA512

          740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

          Download Submit

        • C:\Users\Admin\dstat.exe
          Filesize

          36KB

          MD5

          b6da847084e39e0cecf175c32c91b4bb

          SHA1

          fbfd9494fabed5220cdf01866ff088fe7adc535b

          SHA256

          065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

          SHA512

          59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

          Download Submit

        • C:\Users\Admin\iBdqphzke5.exe
          Filesize

          244KB

          MD5

          a4cdb62cf4866a17e742e7e9cc73d237

          SHA1

          30d94f8e872455ac569949ac4c768d0a0cdfbba7

          SHA256

          c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

          SHA512

          c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

          Download Submit

        • C:\Users\Admin\xvgib.exe
          Filesize

          244KB

          MD5

          e596ddaf754fb5b554000fe75ed988b8

          SHA1

          93df161ea5a54585be9ea64718bd0f3a35f70fd6

          SHA256

          495dab784d4f2c76f209f034f165d250fa760bf30aed448ab8ece9526c5e9d8d

          SHA512

          d805ea3b0ab9f83853fec74ff7c9999d735962e31443d670409520c0293f3a29d44a52793329ae59f004fcfcb1b706291c219949096a4ccaf173643dce1066e2

          Download Submit

        • \??\globalroot\systemroot\assembly\temp\@
          Filesize

          2KB

          MD5

          d0ef0547e0d8f7e3691e9d0f28467e78

          SHA1

          3e9d1ea7164c92394bb0427439a2cd8326bc4501

          SHA256

          ef90ba43ba84756f2d92d4dcaa8c8d6763fa6bc9b86034f927ff479251010231

          SHA512

          7abfa6394a932a59b4d085af7d7a35ec48cb9a908d0231b3595aa7f98bce8e78e1687ce7ba7df60d343efcc4e0e7d97a272c5634e27838e53b29e4a96e20d0a6

          Download Submit

        • \Users\Admin\fstat.exe
          Filesize

          271KB

          MD5

          34353cf7e1d1b10bcbbcae0745110535

          SHA1

          2fb471681daac6f6d66477b7772025da4f58c508

          SHA256

          b2d7a66e2d10d8943e48d6f3ad75237ff379e82ab0101a620406c4569be1d959

          SHA512

          7404f82abfabd21d6f2a88b55f6f0ff886bb0a1f16a9d45c6883d74daa26451f862a10a78646c549c3a3264ba4bd9fb44949d470493af895973dd05a0ec311e6

          Download Submit

        • \Users\Admin\xvgib.exe
          Filesize

          92KB

          MD5

          210071b032c3236a7faa96b828f2e3b0

          SHA1

          d15c6e8c86a7d3d1bd5ef597d5a7e2ae6378801b

          SHA256

          4af800319001b5d2d08f429763283b307201f65d35160bb26c9753fb03238c28

          SHA512

          d8bec2fa95dbab30635eb3dffb443f6df659c259cab170347aff444c505c9a67ab28eaa93653efce336863801ebe084ca718b86b96b134d55e05bc820c0a0838

          Download Submit

        • memory/336-121-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

          Download

        • memory/336-118-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

          Download

        • memory/336-135-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

          Download

        • memory/336-130-0x0000000002380000-0x0000000002381000-memory.dmp

          Filesize

          4KB

          Download

        • memory/336-116-0x0000000002380000-0x0000000002381000-memory.dmp

          Filesize

          4KB

          Download

        • memory/852-159-0x0000000000CF0000-0x0000000000CFB000-memory.dmp

          Filesize

          44KB

          Download

        • memory/852-149-0x0000000000CF0000-0x0000000000CFB000-memory.dmp

          Filesize

          44KB

          Download

        • memory/852-148-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/852-146-0x0000000000CF0000-0x0000000000CFB000-memory.dmp

          Filesize

          44KB

          Download

        • memory/852-137-0x0000000000CE0000-0x0000000000CEB000-memory.dmp

          Filesize

          44KB

          Download

        • memory/852-145-0x0000000000CE0000-0x0000000000CEB000-memory.dmp

          Filesize

          44KB

          Download

        • memory/852-141-0x0000000000CE0000-0x0000000000CEB000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1076-110-0x0000000002A50000-0x0000000002A8D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1076-79-0x0000000002380000-0x00000000023C6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1076-95-0x0000000003110000-0x000000000314D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1076-92-0x0000000002A50000-0x0000000002A8D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1076-82-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1076-77-0x00000000020A0000-0x00000000020A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1076-93-0x0000000002A50000-0x0000000002A8D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1076-80-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1076-120-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1076-91-0x0000000003100000-0x0000000003101000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1076-81-0x0000000002950000-0x0000000002951000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1076-89-0x0000000002A50000-0x0000000002A8D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1076-86-0x0000000002A50000-0x0000000002A8D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1076-83-0x0000000002A50000-0x0000000002A8D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1076-100-0x0000000002A50000-0x0000000002A8D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1076-99-0x0000000002A50000-0x0000000002A8D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1076-96-0x00000000036D0000-0x00000000036D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1076-94-0x0000000002A50000-0x0000000002A8D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1076-78-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1076-127-0x0000000003110000-0x000000000314D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1076-126-0x0000000002A50000-0x0000000002A8D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1076-125-0x0000000002380000-0x00000000023C6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1076-124-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1076-90-0x0000000002A50000-0x0000000002A8D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1368-105-0x0000000002EC0000-0x0000000002EC6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1368-109-0x0000000002EC0000-0x0000000002EC6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1368-111-0x0000000002E70000-0x0000000002E72000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1368-101-0x0000000002EC0000-0x0000000002EC6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2520-51-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2520-52-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2520-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2520-46-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2520-50-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2520-42-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2520-40-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2520-38-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download