Overview

overview

10

Static

static

3

53658afc24...70.exe

windows7-x64

10

53658afc24...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2024, 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53658afc24d69a9a085d418079d31970.exe

  • Size

    456KB

  • MD5

    53658afc24d69a9a085d418079d31970

  • SHA1

    3bce2497011499230e8099babc98aedcb6ae4a4a

  • SHA256

    13c4a245c9dea93e5d4768ea69acf167f9e6302edfc44d30a36a7b7374ba7b41

  • SHA512

    39e182c006d1f46447d6aee1d0bc97b2a288919a95beafc02fd39e40de0a16685975edd411518b4f2e3d5e58935fbe09f9b86d5aa97d5b14afad4051c9c44f94

  • SSDEEP

    12288:w4ik34n1GxipPy4ZNj2mOb/DNlq41TzXe9Yv:w4ik34n15iN/5lq41Tzuq

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53658afc24d69a9a085d418079d31970.exe
    "C:\Users\Admin\AppData\Local\Temp\53658afc24d69a9a085d418079d31970.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Users\Admin\u8kSVi.exe
      C:\Users\Admin\u8kSVi.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\Users\Admin\vuaeci.exe
        "C:\Users\Admin\vuaeci.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del u8kSVi.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:452
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4944
    • C:\Users\Admin\alay.exe
      C:\Users\Admin\alay.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Users\Admin\alay.exe
        "C:\Users\Admin\alay.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:468
    • C:\Users\Admin\dlay.exe
      C:\Users\Admin\dlay.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2008
    • C:\Users\Admin\flay.exe
      C:\Users\Admin\flay.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:3756
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del 53658afc24d69a9a085d418079d31970.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4896

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\alay.exe
      Filesize

      68KB

      MD5

      1bf479c263ff9b58c1cc00c965f4c14a

      SHA1

      494555c284279f4cb8b1ea9f91ce12c98e057fce

      SHA256

      3b5a01e9c4a8fc9e2f6f33da669a8020b76751720d4c32a42e7ba49e955b1093

      SHA512

      48134b823a6bd2877e200095c03521e75de79a2830d9e723138c00529e0c9436e4b368fb3bd37a5a67cfdbaa34405b8e3f9bd79a982adbf726d882e57823f161

      Download Submit

    • C:\Users\Admin\dlay.exe
      Filesize

      36KB

      MD5

      ca22de79e6c6c38eb6dfef7fe1660b05

      SHA1

      859243fbafb70d5631e96cf88fc3a4c917cecfca

      SHA256

      8eff51c017894840eec5141933794e35a13de7baf085e20e697106bc4b2467b4

      SHA512

      b136c8748cb46dabf6229477c3bd9b217562a7748c57c87f69c2874bd81e72cdda23ba7692602b7bc972e96716693af7ba0b33a9faf8ea25f4060a4c2dfff678

      Download Submit

    • C:\Users\Admin\flay.exe
      Filesize

      264KB

      MD5

      9b3122a0ed7ec1eb344be414036da288

      SHA1

      cf6a4651b24fc71db61e1870a360c3fa7d67c1ca

      SHA256

      ca0ae1bd6a5328945c7805621a2efe10840b3023f70e180750ed0f9f87cc7df7

      SHA512

      f57046121b54c8abd81bade8c2989530ac604e128c826397df63680fc7d8bc22715408613119bfa11920e736a7185950adf3d6c769df3f9b389d1020b22959e4

      Download Submit

    • C:\Users\Admin\u8kSVi.exe
      Filesize

      248KB

      MD5

      76a6dee598367ca2ce4e90457622eb62

      SHA1

      067b85364f34f26292739ea3c04706335c7a9ee4

      SHA256

      2bae3eab43e8f1761f7aa29d259d9966bc8d8f19303a53f57b7d1d4e9b11929d

      SHA512

      8125d4643b0cb63496eae85fae0907bb36c82100fd35af76dadb787b82af7d4014f071e63e2bf07021145786e11a64662693c0502cc2ba6df31a4be917c0474f

      Download Submit

    • C:\Users\Admin\vuaeci.exe
      Filesize

      248KB

      MD5

      a894d115887478c29f0f179b7ffa0c56

      SHA1

      d68840c5e052442acbd93c2f10415f4819934aa2

      SHA256

      275d5e73222ef16a4cda9cebe356e097a6be03ee34f158b2d1da065b2174afb9

      SHA512

      f34f5851bc8d76d841413cb4cad4d611d1e2097ec2739858e768dd708e6b037cfb8bf79f975e129d195cdaa0e07d8ab930306dc0eb1e5473dab7d435a06e9ede

      Download Submit

    • memory/468-53-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/468-54-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/468-50-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/468-44-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4696-77-0x0000000002510000-0x0000000002511000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4696-78-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4696-79-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4696-80-0x0000000002860000-0x00000000028C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4696-81-0x0000000002D50000-0x0000000002D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4696-82-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4696-84-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4696-85-0x0000000002860000-0x00000000028C6000-memory.dmp

      Filesize

      408KB

      Download