Overview

overview

7

Static

static

3

1b6cece5f8...aa.exe

windows7-x64

7

1b6cece5f8...aa.exe

windows10-2004-x64

7

Resubmissions

29-11-2024 09:10

241129-k5gmysslgp 10

30-12-2023 14:28

231230-rs5mkshbek 7

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b6cece5f8a8a9e1d4478116bd7dd5aa.exe

  • Size

    4.0MB

  • MD5

    1b6cece5f8a8a9e1d4478116bd7dd5aa

  • SHA1

    e7e834d4097010f9c67d56fd6b9299a6bf198174

  • SHA256

    dbc19471ecdeb4ba023f2d145858e2bfe18a17af68065a035738637304af681a

  • SHA512

    4377d5b2e15d39158cc9ab555ce826c1943dfe9b35e569d3b566d6dc83f7b87f743ee248d691817dfe020e265ab829b6e85cca1aba798b460d78af90bdf378de

  • SSDEEP

    98304:2nsmtk2aqk02VdBXD0NYTzjv9UzvassGeR6B6q24Ro7:oLNk02Vd6YrOLbTeR6BLm7

Score
7/10
collectionpersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 13 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b6cece5f8a8a9e1d4478116bd7dd5aa.exe
    "C:\Users\Admin\AppData\Local\Temp\1b6cece5f8a8a9e1d4478116bd7dd5aa.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Users\Admin\AppData\Local\Temp\._cache_1b6cece5f8a8a9e1d4478116bd7dd5aa.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_1b6cece5f8a8a9e1d4478116bd7dd5aa.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Enumerates connected drives
      • Maps connected drives based on registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_win_path
      PID:2392
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2324
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          3⤵
          • Executes dropped EXE
          PID:2640
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2132

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      140KB

      MD5

      171874367b08795404606b855d8d119f

      SHA1

      5aab888b086ae0cc2c627ac044a018e5c1fa808f

      SHA256

      26fda644af6afe4af2ac398895a4c48f387fd53954d29ceb6ce4561e1c01818f

      SHA512

      638dd92116318c6b8bc40f59f4d4e5df6c94aa9dbe1a75bd0586ff286620bcbf2eb275b56be5830c221462356db50ba2aa73dc52cb315168afd9d5c6d78521b1

      Download Submit

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      82KB

      MD5

      95003ca5cd62fe20de849db7fca450c8

      SHA1

      18b5447dd4b1a4de964609869e628879aa4d169b

      SHA256

      77a4db3d00f581d02a02fb27dcda9748310ab1b9f7bbed8adc9e0fbb35ba2792

      SHA512

      029a81b912e2f95c64983c98b372a04e576a6773b64b3378ef3044819ebb42597563f51dfcc8a3d527d57fbbbf7cda8950e581a21025373bb6cf2a1ff1dfd9c5

      Download Submit

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      68KB

      MD5

      bb6f9c330c99dafad23f74292f9a78bf

      SHA1

      7f87ce7dc5a215b41ec367f8f11fdb451702530e

      SHA256

      8a63ea7a673d22a8dbba79c61993282eb9c05152843458d61045cf69fdf6bdaa

      SHA512

      50dfd9f54b8d5877599dcc5fd5b3596f3a99a444d53c94e9a96e580239bc1706da9f88e4ebf29e1c94313db54b73f8e7b3982d145e64954955e32399e456d657

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_1b6cece5f8a8a9e1d4478116bd7dd5aa.exe
      Filesize

      158KB

      MD5

      2f56c520fe6ac239887f59e8b7e9076f

      SHA1

      d74ed786864eb1625358f53b5f7f568e7c6dace6

      SHA256

      7c0c27715b6a869e757d83ba081cda69a5c91a3c8ad4b65d54389ea0404e252d

      SHA512

      5bc4a39aaeea97d54c86f61c74691aa395793dede18e6c88dc496a5a91f60ca24a200d75d85b89dad779fc0c5aeee9c59f8f405e65f59d72bba33051f6f1c2fd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_1b6cece5f8a8a9e1d4478116bd7dd5aa.exe
      Filesize

      266KB

      MD5

      3b88b73db435209fab57a1a63844942d

      SHA1

      c305eaf1015ad22fc69655770229b2bdef4824b0

      SHA256

      8fd7789f19285d426ecf4a24740cf36ec344248f3fdd31873443ca40c0ca878e

      SHA512

      225863705141669b6dcf1ddc6d1ab8fa0aea0ae753992399991fdb6e26304dc49b4b485ea75b224c27a93b1b2ec84727f7c89c02e60a40a682912cdd0cb6a94c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_1b6cece5f8a8a9e1d4478116bd7dd5aa.exe
      Filesize

      214KB

      MD5

      be797f74e85d134d8d078a2646946bde

      SHA1

      a3ae3100d9999b0171b4db5ffc6f6de28cd8acdd

      SHA256

      5f907941d60ba9030a2ecb93a8337c60443f4faf8a85fca125843cc14016cefa

      SHA512

      463df946e7b0c3fa1a2fcfda2ae4860febf5fa6fa052fa13b30926fc572d8a5736f633fcefb1bf5eed7a1cb41b11efa5d7156a7ccc3c734e3ede29fddb9c989e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      Filesize

      82KB

      MD5

      8a613c42752aa785726c45271bd38d28

      SHA1

      119593c6a698115cafffd98431109e49a8cbd7a6

      SHA256

      2581c5ce0b3982fa23e562aeed1a0e0103fe2515278f276c00804987a7c77ebf

      SHA512

      bce12b8fc0a6e902ba8a992c1042e43f68560eddda160ed70c2c6401d4e260576135dcb4b9e5e51f7e584cad98fc97ddb4df56e889378c1d943c1989f8e43403

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jhNwDmEV.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rpt-1.htm
      Filesize

      134KB

      MD5

      05e768edce86c4f2f66b47c20c330200

      SHA1

      179b2f1b194c96bb39a69b6832aec20de84b0f52

      SHA256

      6845bfb9e5c07e7e12950aeb8ac8d4e7e4eb81f7e98781297d130435adba9443

      SHA512

      e56f557123988269bf730db445b3bdce3ef3284e9ec83081686fab82688f485aa1c0abde5964c480b620d88c48a38c2c7c143476c077e9a6925e69c09f61e4c3

      Download Submit

    • \ProgramData\Synaptics\Synaptics.exe
      Filesize

      131KB

      MD5

      2197b88440bbb80413417c8842e60511

      SHA1

      fa713b829043a08d83d83fa407ae7d1c6064375c

      SHA256

      7c4d6d4d05ed3816f527a61b36d80744c496744d5f18323e66daaf3768716ca9

      SHA512

      2b437dd23fb8872b34f5e12d5cd5e0586c4052127657b8ee1366d4d0c4d7a6ccc5b15b8d9e17903d7693fd8b8b42a32ce8c88d137255b599d43a02578f511cee

      Download Submit

    • \ProgramData\Synaptics\Synaptics.exe
      Filesize

      140KB

      MD5

      801121cd49a5592c7e6cee1914c9be7a

      SHA1

      987ecc702a21a6e7a6b1c003e16713b0dffa9f0a

      SHA256

      cbd52a9bdec04332e5a6b8eff61b2b7a5e2638db9bcb98d836b74df8289cd2f7

      SHA512

      fdf7ad38cfa6ce6e9d57b354cb9f2b644682d68f18c203bd65920e4f0b742cf798a4516894aaadef9b5b13e14a8e5b864988e514cdc77d16c1bb2957cae8d4d9

      Download Submit

    • \ProgramData\Synaptics\Synaptics.exe
      Filesize

      50KB

      MD5

      3dc43a84e6f00be0844e9e261b426e2e

      SHA1

      50a4dcfb9033ebe7f28462a258799a563a0e8f40

      SHA256

      1378394535f71acd46d96e960bf048b9c888a99b3a7ee574eb65404ffd0a961c

      SHA512

      801de4f681f37f8034a602a8378f59ec2a01b84bad826fedd454b64eea91ce3ae9186def4388eaef580ff5e14d5ad6d42f58a54909dfbe3d260965248b1c1a7a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\._cache_1b6cece5f8a8a9e1d4478116bd7dd5aa.exe
      Filesize

      262KB

      MD5

      4cd766dc00c6682610b1df722dccda89

      SHA1

      4cb7c833d67213500b2507b5de7b24ebdc225f4b

      SHA256

      eabefa0344d8a71e4b3336f651394f9d8f9619cdae654b77910cc6e2d20153ee

      SHA512

      8939976119bef050647dfc884544559eb0eb520a86ab9c7da3b9ce50abae17767bdf3bbf781b824cf5fbc6c01190275bde01bdefd7eec7f9a85fd846035df9b7

      Download Submit

    • \Users\Admin\AppData\Local\Temp\._cache_1b6cece5f8a8a9e1d4478116bd7dd5aa.exe
      Filesize

      184KB

      MD5

      7b239b87bc3e943262dbca6eab831adb

      SHA1

      a54fef4325c326cb73c2a4cd733bc403a7d142f5

      SHA256

      c1341dec6e12b1ffd731e3f2d65a85c76869617e99cbb95191fb73c7b62a98a8

      SHA512

      a89a1630d72759474344df4676c41a9ebc8c654c8a7f035116c3a3658108777e87f0bda493316cdf25331c7d4eae82a219dab8816555123ea6d2b8c3c75292fb

      Download Submit

    • \Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      Filesize

      91KB

      MD5

      46b918deee13296aec2de184d1f9a067

      SHA1

      82973d256be58dd9048217b63600d5ab32b572c1

      SHA256

      15c9f4225a168311dc0ae4ff8bc2e26db07d179956801fd0f0186158545681f0

      SHA512

      7c0465634ec0cb21a9525e60222651f5700a76d56e6df390bc0c51887a46a214263af9e69d8b3f8d48ec44283ae26e5bb09e2e61d189573b057f09916949f498

      Download Submit

    • \Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      Filesize

      63KB

      MD5

      204c6ac3586af2c9a883272ef62a661b

      SHA1

      fc46be28200b14f3d0afda0a3f3ac31e37d60e52

      SHA256

      a1ab9b36303ab085bd3c15c52659a304813884f88217a8148b254dac757aee7c

      SHA512

      6d447c06221e1c7353baff466b82da8b582113e2b6f16c06b874d5d6c66ff662bc34c36aff699b3196eeac8841d0eae4922372b72349d5e360165d72985f3f27

      Download Submit

    • memory/2132-88-0x0000000071D1D000-0x0000000071D28000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2132-51-0x0000000071D1D000-0x0000000071D28000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2132-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2392-81-0x00000000001A0000-0x00000000001A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2392-75-0x0000000006B70000-0x0000000006B79000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2392-85-0x00000000003E0000-0x00000000003EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2392-86-0x0000000000400000-0x0000000001E0C000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2392-108-0x0000000000400000-0x0000000001E0C000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2392-106-0x0000000000400000-0x0000000001E0C000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2392-31-0x00000000001A0000-0x00000000001A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2392-29-0x0000000000400000-0x0000000001E0C000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2392-47-0x00000000067E0000-0x00000000067E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2392-71-0x0000000000400000-0x0000000001E0C000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2392-84-0x00000000067E0000-0x00000000067E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2392-76-0x0000000006DA0000-0x0000000006DC9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2392-79-0x0000000006DA0000-0x0000000006DE8000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2392-78-0x0000000006B70000-0x0000000006B7D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2392-77-0x0000000006B70000-0x0000000006B7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2568-74-0x0000000005530000-0x0000000006F3C000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2568-28-0x0000000000400000-0x000000000080F000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2568-0-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2568-20-0x0000000005530000-0x0000000006F3C000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2640-45-0x0000000000400000-0x0000000001E0C000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2640-48-0x0000000000120000-0x0000000000121000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2872-72-0x0000000000400000-0x000000000080F000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2872-87-0x0000000000400000-0x000000000080F000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2872-83-0x00000000053C0000-0x0000000006DCC000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2872-82-0x0000000000220000-0x0000000000221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2872-32-0x0000000000220000-0x0000000000221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2872-46-0x00000000053C0000-0x0000000006DCC000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2872-49-0x00000000053C0000-0x0000000006DCC000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2872-141-0x0000000000400000-0x000000000080F000-memory.dmp

      Filesize

      4.1MB

      Download