Overview

overview

10

Static

static

7

48d4b2de96...f7.exe

windows7-x64

10

48d4b2de96...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48d4b2de96bdee80e4b03ce3b1c2cbf7.exe

  • Size

    563KB

  • MD5

    48d4b2de96bdee80e4b03ce3b1c2cbf7

  • SHA1

    d573c037b7130c2f9fd066290cb33517f872b10a

  • SHA256

    55fee448c01f7f95dac6e0659817bd2cd6d9b10faa1996e80d13fd7eff3b7eba

  • SHA512

    e48af35745638ee4153d4fd2d295f0215c1bf7f46af9a59e4e4b920498828456dec77fee796ced0202ffcd495f1ccf14a6f7500c1f64f6365d3613d1ce505640

  • SSDEEP

    12288:McEV8Z4J+3C3Ojt1cEVncEV8Z4J+3C3Ojtnvt:mxJV+BVPxJV+Bnvt

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48d4b2de96bdee80e4b03ce3b1c2cbf7.exe
    "C:\Users\Admin\AppData\Local\Temp\48d4b2de96bdee80e4b03ce3b1c2cbf7.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Windows\SysWOW64\at.exe
        AT /delete /yes
        3⤵
          PID:2660
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\blastclnnn.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Windows\SysWOW64\at.exe
          AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\blastclnnn.exe
          3⤵
            PID:1880

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\blastclnnn.exe
        Filesize

        563KB

        MD5

        48d4b2de96bdee80e4b03ce3b1c2cbf7

        SHA1

        d573c037b7130c2f9fd066290cb33517f872b10a

        SHA256

        55fee448c01f7f95dac6e0659817bd2cd6d9b10faa1996e80d13fd7eff3b7eba

        SHA512

        e48af35745638ee4153d4fd2d295f0215c1bf7f46af9a59e4e4b920498828456dec77fee796ced0202ffcd495f1ccf14a6f7500c1f64f6365d3613d1ce505640

        Download Submit

      • C:\Windows\SysWOW64\setting.ini
        Filesize

        277KB

        MD5

        f5eeef61ada2d27fb5fef730e8affabb

        SHA1

        e2990dbcbca8a32cdc1e5745b02b6a1b63785705

        SHA256

        d7b516e1f3aef78adc7ae9f0e41cbc95353b88807a349d88cb2002d555a8533b

        SHA512

        57daf57782e2945e8ca6e0c8a4e161d6a2bf4195f72e15e7df0064b6df7fabaea9e614520d25ec182130f4c90b4e5a2382918105a980d0b59c350a6fddfec41e

        Download Submit

      • memory/2072-48-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-43-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-44-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-45-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-46-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-47-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-49-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-50-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-51-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-52-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-53-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-54-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-55-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-56-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2072-57-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download