Overview

overview

8

Static

static

7

03f37b7e3e...34.exe

windows7-x64

8

03f37b7e3e...34.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03f37b7e3e52e10b63f67ea217130f34.exe

  • Size

    39KB

  • MD5

    03f37b7e3e52e10b63f67ea217130f34

  • SHA1

    a98967f9160270844c869227b1ba9ac8c23ad893

  • SHA256

    8981c157e64e92085adf91be032b36d9780bb5f2b10c13e75cc6ae4acb4b0035

  • SHA512

    32697c9c535ff5a18b0c22f89ec8611f8bbfbbebfc61f7c19bfecd4cc28bb9261acb51f434ce775e7e7e9f88346ce87e854b7ac18f58db5e3434b1a416699c43

  • SSDEEP

    768:lyLH7TlCuqtXF5rg1QAmdDUJKfz/XZ/ABI0MMNtjqTpifw5o:l8lCuWXbrnfdAUXZ/AiWLqTpifN

Score
8/10
persistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03f37b7e3e52e10b63f67ea217130f34.exe
    "C:\Users\Admin\AppData\Local\Temp\03f37b7e3e52e10b63f67ea217130f34.exe"
    1⤵
    • Adds policy Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
          PID:1196
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        2⤵
        • Launches sc.exe
        PID:2212
      • C:\Windows\SysWOW64\sc.exe
        sc config SharedAccess start= DISABLED
        2⤵
        • Launches sc.exe
        PID:944
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          3⤵
            PID:4940
        • C:\Users\Admin\AppData\Local\Temp\zly0i.exe
          C:\Users\Admin\AppData\Local\Temp\zly0i.exe
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1324
          • C:\Windows\SysWOW64\sc.exe
            sc config wscsvc start= DISABLED
            3⤵
            • Launches sc.exe
            PID:3064
          • C:\Windows\SysWOW64\net.exe
            net.exe stop "Security Center"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3328
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Security Center"
              4⤵
                PID:2848
            • C:\Users\Admin\AppData\Local\Temp\zly0i.exe
              C:\Users\Admin\AppData\Local\Temp\zly0i.exe -dEFFC4CA6478013CCA95867406125C7C2C7529DEF4E1C924AEF89CDBB00D8EF85BBC6FCD0FE909AB30D6552FA5A1CAD5DA36E65D8E3970917EB80BA179B21F7591850893A6C6B0FE67579C1BD16DE59BDF9024C026CFDB3481CB494FDC039730FEAB9464A9C874DD35698563EB2757621D01D43771651094D1A3E9CD3AB2BAA1B5751C364DBEA6AB86457F1A18C4AEB646CB67A7F4FB5C58BB73B5334DA0028FDC3A6D1ABB8CBC2DC96F6B3ED3F9FE34E522A63D0C3E6DF180A0079FC0931B364D4568196FEB8EC112051FE69A9D5C59648F6AEFA5F6490EB6783106B368257BB6FD024DBBB0EC271768972E3E82D3B7C51674D6650D6519564C859DE9D675A0FB8574BE13CB75DF54EA0F0CA571D2FEAB42A714B0435DB41D596D586BC0B4768154BC73E0E3115299EA49AE5948BC822F43C8A3D2758283DD0A545C44F36E7A02B0FA92FFD24845199BBD05C7D8D7064D8E24A23A6297057A974A934547542DDDEBE4309174E832DB55B33A42DDFD0AF64B1A1C0AED72B49F5AF43250796A147541424C7A9F02AECA7C0A52C0201D153DD3FC1F2AD9B152F8A419509E6FC
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1472
              • C:\Windows\SysWOW64\net.exe
                net.exe stop "Security Center"
                4⤵
                  PID:3620
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Security Center"
                    5⤵
                      PID:3400
                  • C:\Windows\SysWOW64\sc.exe
                    sc config wscsvc start= DISABLED
                    4⤵
                    • Launches sc.exe
                    PID:4904
                  • C:\Windows\SysWOW64\net.exe
                    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                    4⤵
                      PID:2228
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                        5⤵
                          PID:980
                      • C:\Windows\SysWOW64\sc.exe
                        sc config SharedAccess start= DISABLED
                        4⤵
                        • Launches sc.exe
                        PID:828
                    • C:\Windows\SysWOW64\sc.exe
                      sc config SharedAccess start= DISABLED
                      3⤵
                      • Launches sc.exe
                      PID:5032
                    • C:\Windows\SysWOW64\net.exe
                      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1128
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                        4⤵
                          PID:2920
                    • C:\Windows\SysWOW64\Rundll32.exe
                      Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\mdinstall.inf
                      2⤵
                      • Adds Run key to start application
                      • Suspicious use of WriteProcessMemory
                      PID:3956
                      • C:\Windows\SysWOW64\runonce.exe
                        "C:\Windows\system32\runonce.exe" -r
                        3⤵
                        • Checks processor information in registry
                        • Suspicious use of WriteProcessMemory
                        PID:4212
                        • C:\Windows\SysWOW64\grpconv.exe
                          "C:\Windows\System32\grpconv.exe" -o
                          4⤵
                            PID:2088
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjxqku1pp.bat
                        2⤵
                          PID:3932

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\mdinstall.inf
                        Filesize

                        413B

                        MD5

                        ce1f2d7c8e36f3c085a5d281b9ebeb2f

                        SHA1

                        bbbfae948d625afe50f66f34282bda3974cfdce5

                        SHA256

                        312239a5c6333e6d1e8ba9f0e81856c37347be0f21d194741ae1d25538cd130c

                        SHA512

                        89f69b88bdfb391f58abaefbbae7e393571709c0ea6a268794c035200674ad3a8615a65944373559aead87e8d5ab09f334e2b1563c1bde912aa26a485b76357e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\rjxqku1pp.bat
                        Filesize

                        190B

                        MD5

                        06a64df409ba42664fa09605c8398dc6

                        SHA1

                        a69aa15d4be29366d136a9e363b269988e21945b

                        SHA256

                        b6176f45a01338eacaa8fe923ba6c53ccdd7013cf4921b17814e3e43b6d61592

                        SHA512

                        115927c40b240588bed1859600a64612c32819dd97e84ed8526da2c6b4d6ac78043897679395f15dbb2cf4adffbea730f6d5228e711d50f96459c5343a2ce23a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\zly0i.exe
                        Filesize

                        39KB

                        MD5

                        03f37b7e3e52e10b63f67ea217130f34

                        SHA1

                        a98967f9160270844c869227b1ba9ac8c23ad893

                        SHA256

                        8981c157e64e92085adf91be032b36d9780bb5f2b10c13e75cc6ae4acb4b0035

                        SHA512

                        32697c9c535ff5a18b0c22f89ec8611f8bbfbbebfc61f7c19bfecd4cc28bb9261acb51f434ce775e7e7e9f88346ce87e854b7ac18f58db5e3434b1a416699c43

                        Download Submit

                      • memory/1324-21-0x0000000000400000-0x0000000000425000-memory.dmp

                        Filesize

                        148KB

                        Download

                      • memory/1324-30-0x0000000000400000-0x0000000000425000-memory.dmp

                        Filesize

                        148KB

                        Download

                      • memory/1472-22-0x0000000000400000-0x0000000000425000-memory.dmp

                        Filesize

                        148KB

                        Download

                      • memory/1472-27-0x0000000000400000-0x0000000000425000-memory.dmp

                        Filesize

                        148KB

                        Download

                      • memory/3220-0-0x0000000000400000-0x0000000000425000-memory.dmp

                        Filesize

                        148KB

                        Download

                      • memory/3220-15-0x0000000000400000-0x0000000000425000-memory.dmp

                        Filesize

                        148KB

                        Download