Overview

overview

8

Static

static

1

55450968c3...e9.exe

windows7-x64

8

55450968c3...e9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12/01/2024, 02:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    55450968c3ba0e9ec14f7b4204e5f3e9.exe

  • Size

    774KB

  • MD5

    55450968c3ba0e9ec14f7b4204e5f3e9

  • SHA1

    9f5bf51f170e65bc77026d15fde44dbbe6729007

  • SHA256

    cdca50554df0abdd3de32c78f381ec1ea7e02b1687f6e56eb18d4274503b37e2

  • SHA512

    ac1e3659b274311ab6235630efd033d5444d26725de86e463a5a21816f0c3eba68a9549ca62e675c17bb2a7537c84e6986b87270d434146b9e57e8f103602dd7

  • SSDEEP

    24576:A20gPgFK44AGJAyDkziGgEf3TuJSQxAVBbIcXos:xK5bvR93T4xAjIE9

Score
8/10
evasion

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 5 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\55450968c3ba0e9ec14f7b4204e5f3e9.exe
    "C:\Users\Admin\AppData\Local\Temp\55450968c3ba0e9ec14f7b4204e5f3e9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\tixup\extender\tls.vbs" /f=CREATE_NO_WINDOW install.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\tixup\extender\mac.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\SysWOW64\timeout.exe
          timeout 7
          4⤵
          • Delays execution with timeout.exe
          PID:2668
        • C:\tixup\extender\shudlerl.exe
          "shudlerl.exe" e -pscvxhnormal win.rar
          4⤵
          • Executes dropped EXE
          PID:2884
        • C:\Windows\SysWOW64\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:2776
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\tixup\extender\ls2.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1780
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\tixup\extender\vnmx.bat" "
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2708
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\tixup\extender"
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2148
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • Delays execution with timeout.exe
              PID:2196
            • C:\tixup\extender\scvxh.exe
              scvxh.exe /start
              6⤵
              • Executes dropped EXE
              PID:2420
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im shudlerl.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1832
            • C:\Windows\SysWOW64\timeout.exe
              timeout 4
              6⤵
              • Delays execution with timeout.exe
              PID:1084
            • C:\Windows\SysWOW64\attrib.exe
              attrib -s -h "C:\tixup\extender"
              6⤵
              • Views/modifies file attributes
              PID:2008
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im shudlerl.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1644
        • C:\Windows\SysWOW64\timeout.exe
          timeout 8
          4⤵
          • Delays execution with timeout.exe
          PID:2480

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\tixup\extender\ls2.vbs
          Filesize

          103B

          MD5

          b9f01a083196f56e63981d4918b53602

          SHA1

          6516beed046058a8b5e9c14691dfa6a56d90f586

          SHA256

          05819ae49c80e8b4f83ce74d0318b2d6db07cf817e8e3e11724d4af2e2872f54

          SHA512

          df0fd5fe0d42d39ede571a0df630cf5f862bc9761f2ba1f3a42bfd77ef6d6e52148db4f3c0dbf20abc0e89518a30c8ec4533668b9392a3f2a1a668d0dead31ee

          Download Submit

        • C:\tixup\extender\mac.bat
          Filesize

          392B

          MD5

          fcf0f7da76c156db2db74a764301264b

          SHA1

          927430c6059ea5d26727e3b103c3c2e4ee644b4d

          SHA256

          d27fac55c965e8e2b45a87b1728f4461687fe74688716d80f333d2da18f0456c

          SHA512

          ddff08b4201f31946f350ad6797342592db1a9284cb845adbf5d90264510298ef12d74597fbf9c3f0271d56988dac88fb62121c73e399bb0c896f4e778d8ff2f

          Download Submit

        • C:\tixup\extender\scvxh.exe
          Filesize

          512KB

          MD5

          276841a0e6f4e9c5c92719c5daa9155d

          SHA1

          3a81aa158ae825ca5c1b54ef9b8f675311a41d80

          SHA256

          c943b2be601f0ac42a65baaddaec2ff23f443e4cb3ca5b4f9fdb2033f4d78880

          SHA512

          abe0615cc988c91d7dff6defa4f3cc07385c44c5bbfb47fa696dede3ca1f9601b271685e2ecefb3d1aa19d95d9c024b18dee55deb4dc5921f01d8933a3af06c8

          Download Submit

        • C:\tixup\extender\scvxh.exe
          Filesize

          2KB

          MD5

          db8a2eeae19564e4e05ac8a668398199

          SHA1

          8613388a4626e7f3ccb2db019f0cddcecda6b408

          SHA256

          24ae0a9a4f71e98f4e43bea49d03ec42e8955af001cb30813da10d16890a39fe

          SHA512

          78875650a92387175d7bf85eee80983faddc8d5e6f3ec4e0412352045011ef9ba4741ffeb76e73ba2045e6847d38e0d369f6dcca40a1d5601fe2000068dda8b2

          Download Submit

        • C:\tixup\extender\shudlerl.exe
          Filesize

          551KB

          MD5

          061f64173293969577916832be29b90d

          SHA1

          b05b80385de20463a80b6c9c39bd1d53123aab9b

          SHA256

          34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

          SHA512

          66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

          Download Submit

        • C:\tixup\extender\tls.vbs
          Filesize

          89B

          MD5

          38d6351f0ec7a2cbeffbc1fc48a7bb77

          SHA1

          aa78835ebba153b03a7ab4a49da432b0be2cf2c5

          SHA256

          88ae3f8a76d32aa09c3d904e1bbd3e974fea2233e87cee6c32292bf4faea24b3

          SHA512

          e5401bab79d4d08db1a224ea358cca9d87e990b1475fb6574853eff41ed0840cbda9d90b4d08bdc0afd610d3ac389ab06868ae06b0033b732df4e5342b1fca32

          Download Submit

        • C:\tixup\extender\vnmx.bat
          Filesize

          710B

          MD5

          49c1e1fe9091b2fa5776c830fe7d6ce6

          SHA1

          90ad8ac24850353fb201028f32429c5a54ac8298

          SHA256

          ed0363a7bc37050f0ced5d4f74fe73c3fc2c119a5c750a8a35df893935e5a000

          SHA512

          aaadba5838167a673a44092feb4e151afffe19d16b9a77fa6384ab7db7e5c435b05c19197ed1b10c6c403572da17689dad79c91288eee95208243e34de9c66d2

          Download Submit

        • \tixup\extender\scvxh.exe
          Filesize

          442KB

          MD5

          f9d233f84a40e94b7f28fa6bedcb6250

          SHA1

          04cb2732bc4fa073e8573e2563580603aa1944b0

          SHA256

          e8032b22ad26e474982b9cf7a8cd2cca683a91dbaf7a129b15cc5634cbb39850

          SHA512

          bf8c1e0a489ced29a476415aaa099bd7bca0cfae2a09bc35e205b0f5bb185e60ed44b15342228ef7e503037ea776841986c55d594eeb81984ba28cd5395b6f30

          Download Submit

        • \tixup\extender\scvxh.exe
          Filesize

          8KB

          MD5

          4fecb7bd9e7777c6bfaa0f3c82c07b5a

          SHA1

          0ef2af77bcd3ddfd961112bb0f3ce63dd476d585

          SHA256

          bea0abacebb993b479e322409829f4b49e118869a698209f690c05abf57393d0

          SHA512

          c60127678af7fcf4a060b0e5b63b764c30a2f4880a4bc3d646ee7da147a5ea67658ccaf4d3547b095a4d474d244ff7a17c9015b21b365ab5cb0244b32263bd24

          Download Submit

        • memory/2420-44-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2708-41-0x0000000000190000-0x00000000001E8000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2708-45-0x0000000000190000-0x00000000001E8000-memory.dmp

          Filesize

          352KB

          Download