Analysis

  • max time kernel
    130s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 06:15

General

  • Target

    10d75fc23bd105a98b8d952be81593f0.exe

  • Size

    36KB

  • MD5

    10d75fc23bd105a98b8d952be81593f0

  • SHA1

    f3ce99466acbc8ad10a0cf61d0a74d8cfd0a9eae

  • SHA256

    6b1f25d7df4d7d1b61a558ab8d28612581f67b411f14bd9620449bc04a73445b

  • SHA512

    17835ad523c48c00841978cc804f488b19f2234771c58f35c71b45a45083f0016186287a04d63364baa4464829507b5b496f3a4c5dd20c08ac5083ab89aa7d10

  • SSDEEP

    768:IkXioTU27ZB/nbcuyD7U5lSFIFhbFPiBHFUgoUn6C+bW:FDU2L/nouy85cYrPiBHFUgJn5+bW

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d C:\Windows\system32\userinit.exe,C:\Windows\system32\taskfile.exe /f
    1⤵
    • Modifies WinLogon for persistence
    PID:2668
  • C:\Windows\SysWOW64\find.exe
    find /I "0000040d" "C:\svi\003988274\svss.lpd"
    1⤵
      PID:2672
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2296
    • C:\Users\Admin\AppData\Local\Temp\19A8.tmp
      C:\Users\Admin\AppData\Local\Temp\19A8.tmp C:\Users\Admin\AppData\Local\Temp
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2912
    • C:\Users\Admin\AppData\Local\Temp\10d75fc23bd105a98b8d952be81593f0.exe
      "C:\Users\Admin\AppData\Local\Temp\10d75fc23bd105a98b8d952be81593f0.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\19A8.tmp

      Filesize

      14KB

      MD5

      f28c8b565f8f1501bce77a003c4bf050

      SHA1

      9c02a484f8d377bee16e929486b7f462e288ece2

      SHA256

      e56172e61dcf1a701897ce249971916779853b9cf2bdaa85d6e51120df9f4e24

      SHA512

      9785fcde44898a93dab141d8406eda223f864a2474bda0276c0cf5ba580e4f2fa77ae1b423a9df59e09c7b1abfa5f21f788c2b03ca451c26827ce8620ff0eda4

    • memory/2548-10-0x00000000000F0000-0x00000000000F7000-memory.dmp

      Filesize

      28KB

    • memory/2548-9-0x00000000000F0000-0x00000000000F7000-memory.dmp

      Filesize

      28KB

    • memory/2548-8-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/2548-26-0x00000000000F0000-0x00000000000F7000-memory.dmp

      Filesize

      28KB

    • memory/2548-25-0x00000000000F0000-0x00000000000F7000-memory.dmp

      Filesize

      28KB

    • memory/2912-11-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/2912-27-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB