Overview

overview

10

Static

static

3

01f201649c...02.exe

windows7-x64

10

01f201649c...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 19:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    01f201649c2ab1170d1274ed7d409102.exe

  • Size

    40KB

  • MD5

    01f201649c2ab1170d1274ed7d409102

  • SHA1

    b8459c8a1e286a7206c52638349765a27ab96b22

  • SHA256

    8996a92475ee1bfb7e919781988ee166ef955ab475083ce9640b760d2c4597f9

  • SHA512

    70d8414b7586a0332622313fa9e1dd5652c36c9ba577aafc9e1d58fbb15677dd624a11babea742f07b142e0f0e6f5ad76d0b61fc5629629d6125929766f8971f

  • SSDEEP

    768:qV3IdxEAtypwZ+XT7DOOGHIBklSr9EZTYkYWM:qVYdxOpcmDZGHIWor9QTYkY9

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01f201649c2ab1170d1274ed7d409102.exe
    "C:\Users\Admin\AppData\Local\Temp\01f201649c2ab1170d1274ed7d409102.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Windows\SysWOW64\ahue.exe
      "C:\Windows\system32\ahue.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4312
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 572
        3⤵
        • Program crash
        PID:4504
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\01F201~1.EXE > nul
      2⤵
        PID:448
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4312 -ip 4312
      1⤵
        PID:3296

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\ahue.exe
              Filesize

              7KB

              MD5

              55a8613c178341227f407592314efe1c

              SHA1

              a39f8d9e12057d65683d12baff8d0ecc20e710c4

              SHA256

              dc4f8b4a613d4610e3481ef62d8eae83e0bb14059f5bfa66190795c91beaed7b

              SHA512

              4a7c63292036bc17e1c975231b61aa8c2091f98db79c13757b7c39de56035ea3b2f8d9845668878d10a37afd8ba3038251b6963ced5d8aa1f8cb100fadb06af4

              Download Submit

            • C:\Windows\SysWOW64\apphelp.nud
              Filesize

              13KB

              MD5

              a341eec94a442ac60ecb78bd1f51d0e3

              SHA1

              d00be332c5cb2e6dd480983ab9b974bbdebb261d

              SHA256

              5cc85d51cd4124a68e5e08951c873eeb7aeccc209c49deddebe3d7bc643e2389

              SHA512

              b53471f7d974708243b0cdb4c9415b4e0fa11d9bdee1648ba3a7975a7bff573a8e650eaf8960810458d35a9cf2eed9f647f054f45f992412f1a47756b0366df5

              Download Submit

            • memory/4312-8-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/4312-12-0x0000000010000000-0x000000001000C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4312-13-0x00000000006D0000-0x00000000006D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4312-14-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/4312-15-0x0000000010000000-0x000000001000C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4312-17-0x0000000010000000-0x000000001000C000-memory.dmp

              Filesize

              48KB

              Download