Overview

overview

7

Static

static

7

5404e0eecb...ff.exe

windows7-x64

7

5404e0eecb...ff.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2024, 16:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5404e0eecb833b541bb8c2cb93f677ff.exe

  • Size

    234KB

  • MD5

    5404e0eecb833b541bb8c2cb93f677ff

  • SHA1

    c590c06a8e755346d3986b921b287c292733e2be

  • SHA256

    933d779247ea0959850d1c7109bc90681dd8fa1ed5f58fdba03b9c6e2f32cfff

  • SHA512

    ba82b9691c99a060d827fe48026f64771c880545b5164f0657817935e0fdbac86fb82e8a36b7a77a009d436571a2cb41a6977c15297be77352db672401e6177a

  • SSDEEP

    6144:+vdd1DkofdVGzU0bKJgkycch60n9z3xiBR5lVIeqvoSS:+v1zdYcgktcdBiBRpFqvoSS

Score
7/10
persistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\5404e0eecb833b541bb8c2cb93f677ff.exe
        "C:\Users\Admin\AppData\Local\Temp\5404e0eecb833b541bb8c2cb93f677ff.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Users\Admin\AppData\Roaming\Apitha\yzci.exe
          "C:\Users\Admin\AppData\Roaming\Apitha\yzci.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2712
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfc254736.bat"
          3⤵
          • Deletes itself
          PID:2160
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:772
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1172
        • C:\Windows\system32\taskhost.exe
          "taskhost.exe"
          1⤵
            PID:1088
          • C:\Program Files\Windows Mail\WinMail.exe
            "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
            1⤵
            • NTFS ADS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:1076
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:2960
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:2064
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                1⤵
                  PID:1164

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
                  Filesize

                  2.0MB

                  MD5

                  40594d2b73227e2bf7c0fd4c56b9eb7f

                  SHA1

                  f8a6f4678b16b820bd34d5f3408ae3d044955610

                  SHA256

                  7209da40dcd843ddb906fdf485b6d956f4c16b8d6a03c0255559cd8a7f948ad4

                  SHA512

                  04f21cf99bcee274727cc744a9da7bcccc6cc7e476a4cb60436b34b146cd4fd20b75f234a1d9375cdbb95f6c977933662d830d2351b6cc943b7653a037f62025

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpfc254736.bat
                  Filesize

                  243B

                  MD5

                  6c1e5a5266ee9f5961185ba1c14f4974

                  SHA1

                  b136fe584503f885ef19f4ca68aa6df2aa7625e9

                  SHA256

                  e3c48847701689068d54940c2bc0a032a49c18f5c1d3afd2eee720c3671f33c8

                  SHA512

                  f33017602b02d1f8fb7b32cf04759bd7837b8eebf549a7f92d729774eb51b76fa8d457a11cb733048a6c8992bfc261c4a81c78955b086d1f83819c423bd26b90

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Kood\ifyl.quk
                  Filesize

                  388B

                  MD5

                  820a0f476cd07ea2a2fa86f239d460eb

                  SHA1

                  b244ec7a8a2619a6cd9e753bc04ee79d7809ee6d

                  SHA256

                  77e6221e94cb921c312647ed59dfc28bb3e477c41225e5a63c52fd7eee946d9d

                  SHA512

                  98669557f941a91330552e747c53b7817d3433da3487f2d51a94bab26d8e2fab1cc09ef29930650db873feeb5e4ec378dcb0cde76bc3980c2f62ca77793eac33

                  Download Submit

                • \Users\Admin\AppData\Roaming\Apitha\yzci.exe
                  Filesize

                  234KB

                  MD5

                  cefbceecb5f1a8fc944c10be6631a7ad

                  SHA1

                  eab4b29a752e556f4b0fbb7d50449eccf1467a9a

                  SHA256

                  7b29f3de84802c6dc7336f19294b09a605280d70e35ffa8051760e2020ed7fd6

                  SHA512

                  51e0325391bb3284f3a0e6bd3c4f1916001f4b3ede37135e3d9b47bacd110db131a8a0b5b95efee28bf61f0bf419137ce7c022979231f7606d938c9334f38d21

                  Download Submit

                • memory/772-49-0x0000000001C80000-0x0000000001CAF000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/772-55-0x0000000001C80000-0x0000000001CAF000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/772-53-0x0000000001C80000-0x0000000001CAF000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/772-51-0x0000000001C80000-0x0000000001CAF000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1088-30-0x00000000004F0000-0x000000000051F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1088-28-0x00000000004F0000-0x000000000051F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1088-29-0x00000000004F0000-0x000000000051F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1088-31-0x00000000004F0000-0x000000000051F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1088-32-0x00000000004F0000-0x000000000051F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1172-34-0x0000000000140000-0x000000000016F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1172-35-0x0000000000140000-0x000000000016F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1172-36-0x0000000000140000-0x000000000016F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1172-37-0x0000000000140000-0x000000000016F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1200-42-0x00000000024D0000-0x00000000024FF000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1200-46-0x00000000024D0000-0x00000000024FF000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1200-44-0x00000000024D0000-0x00000000024FF000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1200-40-0x00000000024D0000-0x00000000024FF000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1676-81-0x0000000077E90000-0x0000000077E91000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1676-60-0x0000000000360000-0x000000000038F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1676-1-0x0000000000220000-0x0000000000234000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/1676-13-0x0000000000360000-0x00000000003C6000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/1676-7-0x0000000000350000-0x0000000000351000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1676-5-0x0000000000350000-0x0000000000351000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1676-4-0x0000000000400000-0x0000000000466000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/1676-72-0x00000000003D0000-0x00000000003D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1676-317-0x0000000000360000-0x000000000038F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1676-79-0x0000000000360000-0x000000000038F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1676-18-0x0000000000360000-0x00000000003C6000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/1676-234-0x00000000003D0000-0x00000000003D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1676-78-0x00000000003D0000-0x00000000003D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1676-316-0x0000000000400000-0x0000000000466000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/1676-74-0x0000000000360000-0x000000000038F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1676-70-0x0000000000360000-0x000000000038F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1676-3-0x0000000000400000-0x0000000000466000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/1676-68-0x00000000003D0000-0x00000000003D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1676-66-0x00000000003D0000-0x00000000003D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1676-63-0x0000000000360000-0x000000000038F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1676-62-0x0000000000360000-0x000000000038F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1676-61-0x0000000000360000-0x000000000038F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1676-0-0x0000000000400000-0x0000000000466000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/1676-59-0x0000000000360000-0x000000000038F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1676-2-0x0000000000400000-0x0000000000466000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/2160-320-0x0000000000050000-0x000000000007F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/2160-322-0x0000000077E90000-0x0000000077E91000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2160-503-0x0000000000050000-0x000000000007F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/2712-77-0x0000000001F00000-0x0000000001F66000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/2712-75-0x0000000001F00000-0x0000000001F66000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/2712-25-0x0000000000250000-0x0000000000251000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2712-515-0x0000000000400000-0x0000000000466000-memory.dmp

                  Filesize

                  408KB

                  Download