Overview

overview

8

Static

static

7

0b92b05245...30.exe

windows7-x64

8

0b92b05245...30.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    161s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b92b052457511c214db0b8f2faf0c30.exe

  • Size

    955KB

  • MD5

    0b92b052457511c214db0b8f2faf0c30

  • SHA1

    95d8b72b8a700a88ad5cebc591abe626c7507735

  • SHA256

    0c4cd60a8770e657c3dc4d160d99bf29f8481226890f362580d3c3a729ccc3a6

  • SHA512

    4f8cce68b9c6971455ac07a9c0fdd13b60edd9c257546bfde975dae66ea60fba1010f4f6d658bb048901211a3a8f2cd52c4026192a4291796d3f6448fa8ac9e1

  • SSDEEP

    12288:JYlRFHBdIwCDrA6hWVz0v/Cya+sNzaOvoJpaz/g/J/vVWyM:ulzhOwCDE6hCOo+sNH8az/g/J/NWy

Score
8/10
persistenceupx

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b92b052457511c214db0b8f2faf0c30.exe
    "C:\Users\Admin\AppData\Local\Temp\0b92b052457511c214db0b8f2faf0c30.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\240676687.dll testall
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3280
    • C:\Windows\SysWOW64\240702203.exe
      "C:\Windows\system32\240702203.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:5060
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kl78a.bat" "
      2⤵
        PID:3976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\240676687.dll
      Filesize

      14KB

      MD5

      962cab8783e4346bf2fd5ac1530a820e

      SHA1

      e5fa0795fafc737f13746ef09b63549bf965a627

      SHA256

      d443d789343c7509885062da36ca881c436bb4a0ff2e1facde138727b5c5699a

      SHA512

      5047c747925f6fc792b6929d19706fed5517a002a8bbf5a7c69d3142e5614b80b53c02b585846002a17e8433cf7c415852bda4abeaa77745c4048c376c6301af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kl78a.bat
      Filesize

      2KB

      MD5

      02d9d918fa8b60987185a61ce70cc334

      SHA1

      5425ad813a105fd0ddf3ee0308007fcfb3d65373

      SHA256

      5d4f091e6c30078388efe7609645cbd36c115b14fcca7d400b1ed0c3c1b3cd2d

      SHA512

      00f7f6f979998884256a28b18774a83e4be675dda96f86dcf77b84f4a78a96ed2c998c86a9a2af182c31c8f07e6c00a4e854b0257b89a6d873b1747bd3b12cbd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ope1F56.tmp
      Filesize

      4.3MB

      MD5

      6c7cdd25c2cb0073306eb22aebfc663f

      SHA1

      a1eba8ab49272b9852fe6a543677e8af36271248

      SHA256

      58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

      SHA512

      17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

      Download Submit

    • C:\Windows\SysWOW64\240702203.exe
      Filesize

      12KB

      MD5

      a8528adb7b7c714cd966df5dcbf3e0af

      SHA1

      443ecbe1be975c3249f8817f6041556bbc52a82a

      SHA256

      140b915394135458d28f68d58bcd304d23bbbfe94fb06e817e951f96c59be823

      SHA512

      22a673ea4f75d4864de5846bc7901b88399fbad7fe8ef4fd325b6e46a81c13919df2238cde100ae83dff4ffafcca8805ca1734d516f36ebd4ccaa91278562b4e

      Download Submit

    • memory/1852-0-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1852-1-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1852-30-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3280-7-0x0000000010000000-0x0000000010006000-memory.dmp

      Filesize

      24KB

      Download