d7cf47173563f66c0d62e423ece84d3063114f28d0a5a6a4b45fff899dee6a16

Analysis

max time kernel
0s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aa18ef0afbf12ca2d52bd306aca7751.exe
Size

2.7MB
MD5

3aa18ef0afbf12ca2d52bd306aca7751
SHA1

322de207626e601a49a392c7a9060c6342791a93
SHA256

d7cf47173563f66c0d62e423ece84d3063114f28d0a5a6a4b45fff899dee6a16
SHA512

614b79ff54027fbbbd9349bd589152a879307a0919e6f0631f4d457d9b85dbd5d1acd7eb6dd093ad89bb3fcdeae19d524593c04900878bb9ed5a8e4def850ba3
SSDEEP

49152:RH73q/dlUyNJ+TBGxZykI9vA6qX9B9RElKBG18:xjq1N44WEXP9RElKP

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2896-0-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/files/0x000b000000012242-10.dat	upx
behavioral1/memory/2896-15-0x0000000000400000-0x0000000000551000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2896	3aa18ef0afbf12ca2d52bd306aca7751.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2896	3aa18ef0afbf12ca2d52bd306aca7751.exe
2896	3aa18ef0afbf12ca2d52bd306aca7751.exe

C:\Users\Admin\AppData\Local\Temp\3aa18ef0afbf12ca2d52bd306aca7751.exe
"C:\Users\Admin\AppData\Local\Temp\3aa18ef0afbf12ca2d52bd306aca7751.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2896
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
2004bcee923b0e0222f4cab87c2c2a3d

SHA1
0a3c122b7cfe403403d913ecc1b328480b1bfc2a

SHA256
f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

SHA512
cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
721B

MD5
7f53e7eecc2d1c8bc9cbd1d198c10b2f

SHA1
0de566bc8fd5140a8ad633fb32f2b6b0e2ac24e3

SHA256
828cc5d42367403c32ff0734cfbbd7f2ad9011cbf8ff9f910c1ea801fcf62da2

SHA512
29e0836f7f18c2788802a3bce0e530cf8ed0342d7d2c72444bcb15ee5b0c632bb0914e7c624e022251ca6b68ee6e70043ccaa02164d8ff4ddeaf9a7b8c4c1ea1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
86KB

MD5
8a2f221768ef0bb12341a50237f4a225

SHA1
0f2d28b2da593ad122763e56cb2069ade14325b0

SHA256
985bfba5c4d2ddfc57883e734ef6828054cc6dcaa9c31bd601d631546a525df8

SHA512
0a602a75eac19102ec0c4b599a9c554037092d6495545a8249dc317893b1da12565d83ba1db293c126a42294e11a241e9f9861f346443696ab4afccd73c86e64

Download Submit
memory/2896-0-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2896-15-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download