Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 08:19

General

  • Target

    1341f290bac6394454de086e9c7dd58d.exe

  • Size

    20KB

  • MD5

    1341f290bac6394454de086e9c7dd58d

  • SHA1

    b7aca1f2f0044921e40d130a2ab9fdbb1a90f28f

  • SHA256

    d097a847f06b698accc337c2ca7833c8e729a2e2755a261b91efe2e4bb0159b4

  • SHA512

    179fc93cc3efcaeae1af6d24313c799d893ed3a5d3e4942658f93e885d6b51586f9be8dc057ad27e3bec5393818b8d39fed6c20b9f658669ef141a3227f87c06

  • SSDEEP

    384:ZqhhXLRWHpmK2IZh0pqA4To0KtBKMWFIdtWOmQlOiOnBpDWFEa:Zqh7/KJX0pn4To0KXKMWctWxkOP/J

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1341f290bac6394454de086e9c7dd58d.exe
    "C:\Users\Admin\AppData\Local\Temp\1341f290bac6394454de086e9c7dd58d.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2948
    • \??\c:\windows\SysWOW64\gdisvc.exe
      c:\windows\system32\gdisvc.exe c:\users\admin\appdata\local\temp\1341f290bac6394454de086e9c7dd58d.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2984
  • \??\c:\windows\SysWOW64\gdisvc.exe
    c:\windows\system32\gdisvc.exe c:\windows\syswow64\gdisvc.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:2576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\gdisvc.exe

    Filesize

    20KB

    MD5

    1341f290bac6394454de086e9c7dd58d

    SHA1

    b7aca1f2f0044921e40d130a2ab9fdbb1a90f28f

    SHA256

    d097a847f06b698accc337c2ca7833c8e729a2e2755a261b91efe2e4bb0159b4

    SHA512

    179fc93cc3efcaeae1af6d24313c799d893ed3a5d3e4942658f93e885d6b51586f9be8dc057ad27e3bec5393818b8d39fed6c20b9f658669ef141a3227f87c06

  • memory/2576-30-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/2948-32-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/2948-19-0x00000000002D0000-0x00000000002E5000-memory.dmp

    Filesize

    84KB

  • memory/2948-12-0x00000000002D0000-0x00000000002E5000-memory.dmp

    Filesize

    84KB

  • memory/2948-0-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/2984-31-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

  • memory/2984-27-0x00000000005B0000-0x00000000005C5000-memory.dmp

    Filesize

    84KB

  • memory/2984-20-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB