df4adacafc2e2a13d1fbfcad58333d72516aef4a642c0edaa46c58393609bde2

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37c4b3187a66fb062d2baffa89cc2e33.exe
Size

1.3MB
MD5

37c4b3187a66fb062d2baffa89cc2e33
SHA1

9540728dc59b2738e77a0ac631776cead56a9cc4
SHA256

df4adacafc2e2a13d1fbfcad58333d72516aef4a642c0edaa46c58393609bde2
SHA512

ff579c8964ff6c675c8716ce2acd5e789723b01303987bf6ba316b653d7b88c852f61714298310c6de757b922c10674fa60223ec56e0bd33bab69e070eee7ded
SSDEEP

24576:Cs8p1CLEKeJmwOj09hLzAvCBnVMOaxkobWsCFbnLiCNXJ8wiuyl2Oxr13y+KqtWx:Cs8pMLEKUtdhLnKko3ClnL1N58wiuyB4

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2020	svchost.exe
2700	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2080	37c4b3187a66fb062d2baffa89cc2e33.exe
2080	37c4b3187a66fb062d2baffa89cc2e33.exe
2020	svchost.exe
2700	setup.exe
2700	setup.exe
2700	setup.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2080-1-0x0000000000400000-0x000000000059F000-memory.dmp	upx
behavioral1/files/0x0034000000014fa0-11.dat	upx
behavioral1/memory/2020-15-0x0000000000400000-0x000000000059F000-memory.dmp	upx
behavioral1/files/0x0034000000014fa0-9.dat	upx
behavioral1/files/0x0034000000014fa0-7.dat	upx
behavioral1/files/0x0034000000014fa0-5.dat	upx
behavioral1/files/0x000700000001565f-17.dat	upx
behavioral1/files/0x000700000001565f-21.dat	upx
behavioral1/memory/2020-19-0x0000000003300000-0x0000000003633000-memory.dmp	upx
behavioral1/files/0x000700000001565f-22.dat	upx
behavioral1/memory/2080-27-0x0000000000400000-0x000000000059F000-memory.dmp	upx
behavioral1/files/0x000700000001565f-25.dat	upx
behavioral1/files/0x000700000001565f-24.dat	upx
behavioral1/files/0x000700000001565f-23.dat	upx
behavioral1/memory/2700-32-0x0000000001000000-0x0000000001333000-memory.dmp	upx
behavioral1/memory/2020-31-0x0000000000400000-0x000000000059F000-memory.dmp	upx
behavioral1/memory/2700-35-0x0000000001000000-0x0000000001333000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\Localdir\\svchost.exe"	37c4b3187a66fb062d2baffa89cc2e33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2080	37c4b3187a66fb062d2baffa89cc2e33.exe
2020	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2020	2080	37c4b3187a66fb062d2baffa89cc2e33.exe	29
PID 2080 wrote to memory of 2020	2080	37c4b3187a66fb062d2baffa89cc2e33.exe	29
PID 2080 wrote to memory of 2020	2080	37c4b3187a66fb062d2baffa89cc2e33.exe	29
PID 2080 wrote to memory of 2020	2080	37c4b3187a66fb062d2baffa89cc2e33.exe	29
PID 2020 wrote to memory of 2700	2020	svchost.exe	28
PID 2020 wrote to memory of 2700	2020	svchost.exe	28
PID 2020 wrote to memory of 2700	2020	svchost.exe	28
PID 2020 wrote to memory of 2700	2020	svchost.exe	28
PID 2020 wrote to memory of 2700	2020	svchost.exe	28
PID 2020 wrote to memory of 2700	2020	svchost.exe	28
PID 2020 wrote to memory of 2700	2020	svchost.exe	28

C:\Users\Admin\AppData\Local\Temp\37c4b3187a66fb062d2baffa89cc2e33.exe
"C:\Users\Admin\AppData\Local\Temp\37c4b3187a66fb062d2baffa89cc2e33.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\Localdir\svchost.exe
  C:\Users\Admin\Localdir\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2020

C:\Users\Admin\Localdir\setup.exe
C:\Users\Admin\Localdir\setup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Localdir\setup.exe

Filesize
27KB

MD5
093c630674e0efc529599079b07a4c64

SHA1
e224e9d38f6f92f623465e732257a57d794f2260

SHA256
5e5605b40da7f9ffb2b7b0415e37d039b79144c5713f9926b8fd418911f4c6c5

SHA512
8ec79edf1abb1a53afed20687e010c5f9727f4cd2bf92d5a61efb01061dce0c29df204e1f03ea80a36ef80d272dbe66a49576c451efd9de19fa00cc10c00e6c2

Download Submit
C:\Users\Admin\Localdir\setup.exe

Filesize
186KB

MD5
e775369a2b78076800a12caebe385760

SHA1
b4a1c276c0e3207bdaa9d405e0b250457f467b45

SHA256
750f9a98a5d94be3318fdf9a69f5062a6deea48179bd6460d07d81ca479b7084

SHA512
01173ebe29e3e606a9dfa2b7059d2b3b421080dd66baade1b211106aa88740c790574dedd63a361b513dd9aa594b4348e78813bfc930062929a5e2e300cd270f

Download Submit
C:\Users\Admin\Localdir\svchost.exe

Filesize
102KB

MD5
b0a71689547ddfcbcc2e2d60c330ba2a

SHA1
f4888795520ce33dd19168d729400cbdac6c27cf

SHA256
2583d175ea68ceedc2648c898f11a0dc95a8d4421baea0aad9709b3e553a1fee

SHA512
8c73cf3476589d6b3794da4a88d589a345c71d6c995c7928e576be5ac3749cec9ad49a48cdd755124dd89d29aeb53447debce40a953b7887a41a01fc083d5fee

Download Submit
C:\Users\Admin\Localdir\svchost.exe

Filesize
84KB

MD5
f41610f74b0271e768813a213ae6768d

SHA1
f6124c0bd21b35e9134c102f0ac426f579e363c9

SHA256
a6543ff8f1e057fccac53f2e13801cf8054e05fa000ab140da60fd719b374d60

SHA512
d5656e6ce158c883ff9dff44b763c757a8bcfa970f36e3f41fba606e38b96bee43fb599490d0410dbee31aa21b2064f0a804ff14c90ef0f22051f065b380899f

Download Submit
\Users\Admin\Localdir\setup.exe

Filesize
39KB

MD5
6915b6b953216d3e4fc2618a2e203239

SHA1
a679b91af74945e370d430ef388547735859a203

SHA256
12200b71c85d190e9176f0b4624ca8b8dd8fb6cf716c22df49387f3320d04f08

SHA512
addd5b0603d34b8cfc8a7496042770e51deebff3f1d3058b904ef9bde1c4de3f23dc8a53b399ae9058db8a5eebacb8a671e4a8b3299cad59991cdba74aa153a8

Download Submit
\Users\Admin\Localdir\setup.exe

Filesize
166KB

MD5
68bd1e04ea0d894ed36858a88c16f9c7

SHA1
9361ce062fc340322f03fa830435b4eb06e67131

SHA256
a42e71a9c73e1a5d5277d8420e5602e5daa0f52ee47d450718259f51cbe88c4e

SHA512
f784753a006284703c697eaa0e137d9992be75aaa4cb16a658c3276619d9f206d0af9f89b87f264a1c10b67decf923a7093330992d60fb309774cdb801c4e45d

Download Submit
\Users\Admin\Localdir\setup.exe

Filesize
185KB

MD5
87b1103dc2f754945144f9eacd8cbf4e

SHA1
cd44b7b6a88dfecd2bff51744f3b4c473b6c9de9

SHA256
2ec6dc5a15fc7731c29551613487a14f89f5099086062b0c98cbba6ce860538b

SHA512
7efc944c783cb7954158be9c07c370a213554bd4c404264ac8b17d56aebc054305af119c05455d354500ee9d4da1507a817495d95d81c481785cdb93dad5dcbc

Download Submit
\Users\Admin\Localdir\setup.exe

Filesize
203KB

MD5
e00c7b26254f7afc91df9b3b7a578626

SHA1
a3881346bd868770a0db4b42c3ec833a358be836

SHA256
defecdff2c35d0f1461c332d08d64787f3e7fca7578d6db76c3742a9c58909ab

SHA512
ba06f1b8e28503f8c81cb70fb8e2e5a2cd55a73d2d2c13092bcfcd7e3e3ee72db4ee75227cd8ffe3ad2d04849fdf57dfc3bdead81dd1f83b9b409dd79fb8b42e

Download Submit
\Users\Admin\Localdir\svchost.exe

Filesize
103KB

MD5
258374b06ad75c020e5b92ba39100cfe

SHA1
65d88d6aea87e231515f51bc08749f09f7585ded

SHA256
3a8a90cfd017d14c2dd6f70a257c625b2250ae36afe51f2d54e729fae2b8e4dc

SHA512
cd096ea32f47fc8bde28ee899ee37c096aa6ccc7a2602a92185637332e20521e82d52ba28b97293e13614618889b36ce72935e6f067bc0e7ded97a3643388d0d

Download Submit
\Users\Admin\Localdir\svchost.exe

Filesize
86KB

MD5
267a3536e30b7931030803f579683b3a

SHA1
28875048703ad1990661bc9e2070e309374b717c

SHA256
81580edea79af9717a3136dd32e20cf0afddb7167b307a547db502ba8d3d0479

SHA512
e307569851ca4f7bdf6d0402021abd02eb96a6d86d319bff7f4aa8b7b8c47b5840be2c2b83cb9c941ae6e7db51ea356f207a27a50980dec2b2c09fb1d84215ee

Download Submit
memory/2020-19-0x0000000003300000-0x0000000003633000-memory.dmp

Filesize
3.2MB

Download
memory/2020-15-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2020-31-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2080-27-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2080-1-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2080-12-0x0000000003B00000-0x0000000003C9F000-memory.dmp

Filesize
1.6MB

Download
memory/2700-28-0x00000000008C0000-0x0000000000BF3000-memory.dmp

Filesize
3.2MB

Download
memory/2700-32-0x0000000001000000-0x0000000001333000-memory.dmp

Filesize
3.2MB

Download
memory/2700-26-0x00000000008C0000-0x0000000000BF3000-memory.dmp

Filesize
3.2MB

Download
memory/2700-35-0x0000000001000000-0x0000000001333000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads