Overview

overview

7

Static

static

3

391666d406...89.exe

windows7-x64

7

391666d406...89.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    391666d406f725aed5f387bac1d70789.exe

  • Size

    1.3MB

  • MD5

    391666d406f725aed5f387bac1d70789

  • SHA1

    e258a5d50ce762617235af9cfa1a081ac091f32a

  • SHA256

    46178572ae7ce7ea98c093e5ea7a09af9e8d367e7bf830d131ff1413f4488815

  • SHA512

    2abb3d5d1c74c5c3079bfa2830c896de4f8a7c9280996fb8613ddc3f7cc15e812673b3aa7aa8742a93c64662638672016b5e3cbf4a4d9c162e5ef30b154ef352

  • SSDEEP

    24576:Yrl4YBHXOjXaJg50owib4FHF7+wPz/wH8wz/pywAMMNOB284bA52qm:Yqi+l3wibU/nwz/p94Nyusm

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\zerub3_391666d406f725aed5f387bac1d70789.exe
    C:\Windows\zerub3_391666d406f725aed5f387bac1d70789.exe
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2848
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    PID:2808
  • C:\Windows\zerub3_391666d406f725aed5f387bac1d70789.exe
    "C:\Windows\zerub3_391666d406f725aed5f387bac1d70789.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1628
  • C:\Users\Admin\AppData\Local\Temp\391666d406f725aed5f387bac1d70789.exe
    "C:\Users\Admin\AppData\Local\Temp\391666d406f725aed5f387bac1d70789.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\7-zip.jpg
    Filesize

    10KB

    MD5

    ba62da181a50d32ccae62bec03d75d19

    SHA1

    646f50b30556935bee4e312b25e613c4c15a6b26

    SHA256

    cc7ad4c4b696a3d035bacc006f8906c39d893fefbaaf1fabd98175f465a0d5fb

    SHA512

    5b1853d4cecf8caa524be46d3b3af136a6c8622719977020928895140edd5cceaa0a5dcbcba5daf3b44b6cec8bc127b9c604218d670fcbcf89b3048ab1ec9c52

    Download Submit

  • C:\Windows\zerub3_391666d406f725aed5f387bac1d70789.exe
    Filesize

    1.3MB

    MD5

    391666d406f725aed5f387bac1d70789

    SHA1

    e258a5d50ce762617235af9cfa1a081ac091f32a

    SHA256

    46178572ae7ce7ea98c093e5ea7a09af9e8d367e7bf830d131ff1413f4488815

    SHA512

    2abb3d5d1c74c5c3079bfa2830c896de4f8a7c9280996fb8613ddc3f7cc15e812673b3aa7aa8742a93c64662638672016b5e3cbf4a4d9c162e5ef30b154ef352

    Download Submit

  • memory/1628-12-0x0000000002F40000-0x0000000002F42000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1628-22-0x0000000010000000-0x0000000010068000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1628-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2220-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2220-8-0x0000000010000000-0x0000000010068000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2808-19-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-13-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2808-26-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-14-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2848-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-17-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2848-21-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2848-23-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2848-27-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download