Overview

overview

7

Static

static

7

01cfe2ce2b...1f.exe

windows7-x64

7

01cfe2ce2b...1f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    138s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 19:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    01cfe2ce2b9e575d8986e8e845a9701f.exe

  • Size

    30KB

  • MD5

    01cfe2ce2b9e575d8986e8e845a9701f

  • SHA1

    7c2e0a61eedb8e5093791c1735d2d18636d1eb00

  • SHA256

    9ec070bb0e4ef57a5bb44d205c70fc5fa2ff212cce9c38cf01d824bd7d98b254

  • SHA512

    85a878641318d95231fef0aed72e1da81856eba49eee7751859d10bb30e86eea559b7c64fc6585b877a87ef3ed56fe70e256a56db1cb7b42734deb251b0b058f

  • SSDEEP

    384:TctfxTTGVTrCleF+qHUvZ/PODQ8BJ7pKNvkyUDqMk93yrrPFc2xYSTxQu/Z2z:0TTGEIF96qQ8MLUDdygr9YKQ

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01cfe2ce2b9e575d8986e8e845a9701f.exe
    "C:\Users\Admin\AppData\Local\Temp\01cfe2ce2b9e575d8986e8e845a9701f.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\01CFE2~1.EXE > nul
      2⤵
        PID:1640
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:1056
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4548

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Internet Security\iesplugin.dll
              Filesize

              28KB

              MD5

              db58a277eebe2f29937f75020452b060

              SHA1

              70fb01e24da499a45e1be0144dced445ed71f97e

              SHA256

              fb90e056f812860f9820588ea1e645d28c8c9109a804e711bd2cbe94f354233f

              SHA512

              4f64c1f8cee3fd1e77f17b53c33a857d9f28e52776a434814cf65c1be6bd11402dbc2d2abaffdb82b0636f23dec7f5ae148275faa919f256834cb38702886e0e

              Download Submit

            • C:\ProgramData\Microsoft\Windows\Start Menu\Security Troubleshooting.url
              Filesize

              130B

              MD5

              72300cfe8adeeb0a3a68620bb1df2753

              SHA1

              864c8de6ebda1abfe1a93062e840f857f51aae08

              SHA256

              84746ebd21d61968fbc751451bb720f0dee5d06ab2d7a76b3c939dfe79bdf5b7

              SHA512

              50b759bc9b2e2ac8034fd73f850a470d5e40e8971feef74036ceb95ceddb20342e63608b04fc78671c0fba2ef07ca36c43127f7b3d829e48493b00068e9248b9

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L3T8W3B4\suggestions[1].en-US
              Filesize

              17KB

              MD5

              5a34cb996293fde2cb7a4ac89587393a

              SHA1

              3c96c993500690d1a77873cd62bc639b3a10653f

              SHA256

              c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

              SHA512

              e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

              Download Submit

            • memory/3996-0-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/3996-6-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/3996-25-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download