Overview

overview

7

Static

static

3

03ae54567c...04.exe

windows7-x64

7

03ae54567c...04.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    160s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 20:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03ae54567cafd86bfb6723f4c99d8f04.exe

  • Size

    336KB

  • MD5

    03ae54567cafd86bfb6723f4c99d8f04

  • SHA1

    c83d06039d590039b812145c5ed827bc091ca754

  • SHA256

    203081ded68b05d0eb5fcd0383345730fa7601985e8dda1ec65d14461d22d12c

  • SHA512

    cd048a88df9b837fecbdc11dc484a3470ef3a3332844b4a7de36e7cba6a5d9e277199b3dd0cdd374f90ae22b77675e1731c315a1ed8749c88c76fb70c85c73ec

  • SSDEEP

    6144:9a3f8Yb0u86b+3TqKJc1ATIRWYhjtlS1qGEwZCTxpTJnZti8gvbm7Xop0f6Gnxxk:9av8hDSCTYDLlS5EwKHTIc4p0f6mJH2

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03ae54567cafd86bfb6723f4c99d8f04.exe
    "C:\Users\Admin\AppData\Local\Temp\03ae54567cafd86bfb6723f4c99d8f04.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4360
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\system32\hp.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\system32\hp.bat" "
        3⤵
          PID:876
      • C:\Windows\SysWOW64\homep.exe
        "C:\Windows\system32\homep.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1464

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\WINDOWS\SysWOW64\hp.bat
      Filesize

      534B

      MD5

      70592bd5aca02479fb68986e47202abf

      SHA1

      d1a75c9cd414fd9a468f756a8b2320e7f4a99cfc

      SHA256

      30139063d96c725aee5b43825259e5a64e231d3dcaa8c638855407b5df3ccf60

      SHA512

      fabbc87597a0e2827dcf9ec73372aa9658aef964e8493b402610615d56ab7cb784e3aad7664e9e0c74ca21b8973e5d8fb00c20e96daa3491d283c5e7e9a6b3e1

      Download Submit

    • C:\Windows\SysWOW64\Internet Explorer.lnk
      Filesize

      736B

      MD5

      2f607765acc4cd7656d44fe9777e8359

      SHA1

      50f2a8d0609b61eaa3f47de60b90005350dd89e6

      SHA256

      931c5e2da205f552685694ad905acab370cb291179d8078b6c9d5edbcab3c870

      SHA512

      9d5b163d219b1bb52c08b533df3a38c083254ff7c05896e5b4aa1f3000feb39d3b673d34bf1c28b193d5ccaf3c77a5c1d447f43e4f35099ec9708a8f7fc565d8

      Download Submit

    • C:\Windows\SysWOW64\homep.exe
      Filesize

      249KB

      MD5

      b1def34bb8a900cac4599b1df541f33b

      SHA1

      1109634dfb3a8b4c5612051cc79f71a0dc61e7d8

      SHA256

      bcad29db1ed34e6db431c984b0490297f5c4d5dc8c2d8be788ed8589357bace6

      SHA512

      96e59928367577c152fb134aa86bed40197b893cbc229fd2449e412968848eb155730c41e689f538b4371839042e9b898accbf33dd3c17bb777de29ec812f3f7

      Download Submit

    • C:\Windows\SysWOW64\hp.vbs
      Filesize

      64B

      MD5

      4225cacbfe61d09703a320a7dc993884

      SHA1

      083805ad43702664e7e474bb28ff0ca7f0fbc2bf

      SHA256

      37af97f09437031d8ae966a4fdcc1be55d1d92558d40aed0048b97ca4b917d46

      SHA512

      66d0e6d436285884fc0d3be4714fe318229aa00dbeafd0a62f8d4489805359357069482f5daf9307ed569ad92175f55d700195c889ea2e4e4fb22c3768a218f8

      Download Submit

    • memory/1464-29-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1464-37-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/4360-0-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4360-24-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4360-30-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download