Overview

overview

8

Static

static

7

2b5210cdd9...91.exe

windows7-x64

8

2b5210cdd9...91.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    126s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 06:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2b5210cdd94d2e35817ca49e9f5c7f91.exe

  • Size

    154KB

  • MD5

    2b5210cdd94d2e35817ca49e9f5c7f91

  • SHA1

    2c9826bed9a93d34d89777e1e823c4083ede7ba4

  • SHA256

    f93464bca9354f9e9a6bdf39641ceeadb19ca79f62d1537acf17840d775ae3b6

  • SHA512

    b75184bfd0760213c4347fdaf629fdb159efdc29c950f475de8f0b128a53ff396f9c1a7d1249d8408cd442884a876c7ae9ff9d96b219a2cd0d62721da0b29cb9

  • SSDEEP

    1536:t1NAUwtT6sFstwrbU3rnouy8prve6Ot7ytw52e1BVRDhY0z6UcnfeskzhAXyS1Po:fgtTPFsw0jout9ve6Ot7ytMr6jzwSF

Score
8/10
persistenceupx

Malware Config

Signatures

  • Registers new Print Monitor 2 TTPs 5 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies data under HKEY_USERS 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Spooler
    1⤵
      PID:2820
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
      1⤵
        PID:2384
      • C:\Windows\SysWOW64\net.exe
        net stop Spooler
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2476
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\E62.tmp\ClearPrinterQueue.bat""
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost -n 4
          2⤵
          • Runs ping.exe
          PID:2804
        • C:\Windows\SysWOW64\net.exe
          net start Spooler
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2796
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost -n 4
          2⤵
          • Runs ping.exe
          PID:2880
      • C:\Users\Admin\AppData\Local\Temp\2b5210cdd94d2e35817ca49e9f5c7f91.exe
        "C:\Users\Admin\AppData\Local\Temp\2b5210cdd94d2e35817ca49e9f5c7f91.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1300
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 start Spooler
        1⤵
          PID:2756
        • C:\Windows\System32\spoolsv.exe
          C:\Windows\System32\spoolsv.exe
          1⤵
          • Registers new Print Monitor
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:2724

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\E62.tmp\ClearPrinterQueue.bat
                Filesize

                240B

                MD5

                13b4eb893beae6a88874f662f10c750e

                SHA1

                d9dad08ae3ae1e5f47d53d4d0fe6b3b9d142dd79

                SHA256

                7821b5298cce7f46cfa93f15d6c68a2a9aa0c767b552c39cc6d60712ac1c9fc5

                SHA512

                462e2b5661b3442492eecf44fac2a9b474774e2709d21c571946447bcbbbee9fb11e86dce9f64b3d9be1e5a210a4e9ecf8ebf8ee5887cf16a1751715d2a4464c

                Download Submit

              • memory/1300-0-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download

              • memory/1300-9-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download