Overview

overview

7

Static

static

7

05078888c3...f3.exe

windows7-x64

7

05078888c3...f3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 21:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05078888c3e6ada4268a19ebb33fc9f3.exe

  • Size

    22KB

  • MD5

    05078888c3e6ada4268a19ebb33fc9f3

  • SHA1

    d263edb030156e7393ce22397ec6d9b941d2381e

  • SHA256

    75e56e521849251048b4e6c6c6d01d2fc738ed34b5f13915c0c157a73fe028ca

  • SHA512

    42a39376ebe1cf2b6e2bbab9ec3b79e646d0fceea6f72813968b054742f5a3911c6cd663ada09d1590a0d3d56b438211433a05a74e7b90d474434d4de6cfa551

  • SSDEEP

    384:vuOioLGVKCRc3IPYZ1tc15lbzqOZ1MZ99kJlfC:mOb4P4O+OZqZki

Score
7/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05078888c3e6ada4268a19ebb33fc9f3.exe
    "C:\Users\Admin\AppData\Local\Temp\05078888c3e6ada4268a19ebb33fc9f3.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\050788~1.EXE >> NUL
      2⤵
        PID:3728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\qB5BKZy7vR5m.dll
      Filesize

      13KB

      MD5

      acbd3261aea0c647dc47d475f56aa66a

      SHA1

      6e818d0d334d5925fb9cccdb26853d2654800330

      SHA256

      5e45c829d27346b13f0bd4180e25b06bf5c7e40f062239e9d6b07b4d7bd30af1

      SHA512

      b06fec3e785a0287016bbe0c961bcf7c1bc2838f0413cd50e031a2a44b2e941ad3b75120c07a5d1c6f1a9049c77395561b9affeb9b915d595bb0a4b188f86ac7

      Download Submit

    • memory/208-0-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/208-7-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/208-9-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/208-8-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download