Overview

overview

10

Static

static

3

00c3fda4ff...87.exe

windows7-x64

10

00c3fda4ff...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00c3fda4ff09940ca177d13c0bb3f187.exe

  • Size

    422KB

  • MD5

    00c3fda4ff09940ca177d13c0bb3f187

  • SHA1

    eb366e746c352d9b55661f46a57d44990162b808

  • SHA256

    38b9b8ce46960c89911829a3d09c9fa2f61fd8a9a634f4293cc625dcf65803b3

  • SHA512

    7eb0f82ed64e1c5071b276cf478754f9163ab70d45eb7f1888175de2db701e8a6378fb661440d0212137302fa8059d2a40db019b28ac196a2bace19898984faf

  • SSDEEP

    6144:3/2aLWp4E0ETZY1T23Eu0i67n4+f74PEAh2g/JS8A77iiYce47jstv6DJg:3/2MWZZJUpi64i4PT5Ipnre4soDO

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00c3fda4ff09940ca177d13c0bb3f187.exe
    "C:\Users\Admin\AppData\Local\Temp\00c3fda4ff09940ca177d13c0bb3f187.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\ProgramData\pA21800GcPlJ21800\pA21800GcPlJ21800.exe
      "C:\ProgramData\pA21800GcPlJ21800\pA21800GcPlJ21800.exe" "C:\Users\Admin\AppData\Local\Temp\00c3fda4ff09940ca177d13c0bb3f187.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\pA21800GcPlJ21800\pA21800GcPlJ21800
    Filesize

    208B

    MD5

    ae6ecefaca9a2fb0bfd0cd2e8e5019cd

    SHA1

    2402793d5a50900cdaef9dbe22c09c4dfdf03fdb

    SHA256

    081af07fddfb42c7feab323edd9be88ee64c90975f490691b149e7e742fb8972

    SHA512

    7c11edb01d36bd5f1f051e32ee43339837e9fcd9eba00bb5a318d8e894a0d12106bfc0141ae34c5365baa5fe6e17eaf80dee553f6aa7805a9999d853c2610fe9

    Download Submit

  • C:\ProgramData\pA21800GcPlJ21800\pA21800GcPlJ21800.exe
    Filesize

    422KB

    MD5

    f41d16e1fc735ce63cd4d37e5088d5ab

    SHA1

    fcee49f9ea148f3f4befbecec5b1f121b8beaf3c

    SHA256

    bbbd4b9c81893443e42b43cb26dbae537ad7158a8b3e11bc693d4fb5fca53b51

    SHA512

    cb73d4440df250f61d2b3e0e4471e556e6c4a5d49e79c6259cc266271613b1ebcae488bb4ce3d8eb5822b61826e042057de72273ffd213da6614933809894321

    Download Submit

  • memory/268-31-0x0000000000400000-0x00000000004D2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/268-38-0x0000000000400000-0x00000000004D2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/2372-0-0x0000000000300000-0x0000000000303000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2372-1-0x0000000000400000-0x00000000004D2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/2372-10-0x0000000000400000-0x00000000004D2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/2372-30-0x0000000000400000-0x00000000004D2000-memory.dmp

    Filesize

    840KB

    Download