Overview

overview

10

Static

static

7

11ea1cac1b...cb.exe

windows7-x64

10

11ea1cac1b...cb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    2s
  • max time network
    47s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2024 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11ea1cac1b6a156f34248849aa7907cb.exe

  • Size

    522KB

  • MD5

    11ea1cac1b6a156f34248849aa7907cb

  • SHA1

    8c11db6b05f2878e263279296e8105136baebb92

  • SHA256

    14edc7e17f0f54eb4c750ef54e79b7241b77094ffe6d39f2a7e6d5583dead4b0

  • SHA512

    624f2f6ceebab94d66475403d4f0ccb116ac317f586b017a8c64b80caa6fa2fcfe8a324b6b5a5a6797dc9958ae41d4ed4fefe8915058b88d1131e53a19a365e0

  • SSDEEP

    12288:wMgDksy9lYyxFSMZQ+peBI+lkHQ4jC9FfmiqZZ4C8+db:vH3YyxFhZ8rKHXcFf5qECJb

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11ea1cac1b6a156f34248849aa7907cb.exe
    "C:\Users\Admin\AppData\Local\Temp\11ea1cac1b6a156f34248849aa7907cb.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3600
    • C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
      "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe"
      2⤵
        PID:4320
        • C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
          "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe"
          3⤵
            PID:3520
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240603281.bat" "
          2⤵
            PID:3488
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SerbianPersian" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe" /f
          1⤵
            PID:3884
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe:*:Enabled:Windows Messanger" /f
            1⤵
            • Modifies registry key
            PID:4608
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            1⤵
            • Modifies registry key
            PID:4424
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\i4i.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\i4i.exe:*:Enabled:Windows Messanger" /f
            1⤵
            • Modifies registry key
            PID:3716
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            1⤵
            • Modifies registry key
            PID:392
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\i4i.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\i4i.exe:*:Enabled:Windows Messanger" /f
            1⤵
              PID:5100
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              1⤵
                PID:4252
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe:*:Enabled:Windows Messanger" /f
                1⤵
                  PID:2100
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                  1⤵
                    PID:3528

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Initial Access

                  Execution

                  Persistence

                  Privilege Escalation

                  Defense Evasion

                  Modify Registry

                  1
                  T1112

                  Credential Access

                  Discovery

                  System Information Discovery

                  1
                  T1082

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Resource Development

                  Reconnaissance

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
                    Filesize

                    4KB

                    MD5

                    976537af0f1971ee00a3b5a044a1fe06

                    SHA1

                    967956146b8409fc4e9dfe9a3a9f99e6a8f009e8

                    SHA256

                    99af9e6a858690fe7e7af8d8b7d314e5cc8067dd4c530a3662e3e6e5d47213fc

                    SHA512

                    92b20c37964b7184c50b28e424a81611b34a4953d86c6cc48aeb5edd00ee0fd6b019838861523c06774ce41a34aa119c67c62dd1db0066c70195a8303e4b61ca

                    Download Submit
                  • memory/3520-23-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3520-42-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3520-26-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3520-28-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3520-46-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3520-44-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3520-43-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3520-34-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3520-35-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3520-36-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3520-38-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3520-39-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3520-40-0x0000000000400000-0x000000000045D000-memory.dmp
                    Filesize

                    372KB

                    Download
                  • memory/3600-0-0x0000000000400000-0x00000000005AF000-memory.dmp
                    Filesize

                    1.7MB

                    Download
                  • memory/3600-21-0x0000000000400000-0x00000000005AF000-memory.dmp
                    Filesize

                    1.7MB

                    Download
                  • memory/4320-19-0x0000000000400000-0x00000000005AF000-memory.dmp
                    Filesize

                    1.7MB

                    Download
                  • memory/4320-27-0x0000000000400000-0x00000000005AF000-memory.dmp
                    Filesize

                    1.7MB

                    Download