Overview

overview

8

Static

static

3

585e7bb53a...4e.exe

windows7-x64

8

585e7bb53a...4e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2024, 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    585e7bb53a3b676614de1cfa844e8c4e.exe

  • Size

    116KB

  • MD5

    585e7bb53a3b676614de1cfa844e8c4e

  • SHA1

    b4734f071a645b7fff8bb58826205600ca6445ed

  • SHA256

    e4703b9a702649087efa7a074bf75e003ef2291efea601f4dd2aa78693bf8e3a

  • SHA512

    354067838983a3fb94155d7487ba7c23d43115bcf4ed299291b54a579bd8b7aa13dae03ab3b3cc2c395056b365d53542fe4b42805c52e01b151d0ae47f6e6542

  • SSDEEP

    3072:66Aipz39gBu6f6q789ckd0hcLEOknMQVBsAB2EOuFhFdOP618O:E09go6f18WS0hvOMMQVBsAB2Lu/OPe

Score
8/10
evasionpersistenceupx

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\585e7bb53a3b676614de1cfa844e8c4e.exe
    "C:\Users\Admin\AppData\Local\Temp\585e7bb53a3b676614de1cfa844e8c4e.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create qosname32 type= share start= auto DisplayName= "Microsoft Windows GetQosByName Service Provider" group= "Event Log" binPath= "rundll32.exe C:\Windows\system32\qosname32.dll,orul"
      2⤵
      • Launches sc.exe
      PID:2992
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" description qosname32 "Microsoft Windows GetQosByName Service Provider"
      2⤵
      • Launches sc.exe
      PID:2548
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe firewall add portopening TCP 1513 messenger
      2⤵
      • Modifies Windows Firewall
      PID:2740
    • C:\Users\Admin\AppData\Local\Temp\8968b91d.exe
      "C:\Users\Admin\AppData\Local\Temp\8968b91d.exe"
      2⤵
      • Executes dropped EXE
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\8968b91d.exe
    Filesize

    19KB

    MD5

    ee4f00c27ba7f34d7f66d6ee3bf06b1e

    SHA1

    1743581ef8f89bff75508857ce9f9db70212b03d

    SHA256

    cbecf191acb3bac4bbdcbcb1f90f769654c33bf8d95541be4ffc6ee1caaa9379

    SHA512

    24abaaa1ca085ed8d7a043c9bee935e3f7b2f5b8aa2c41de8a6b6b299d00e16f09cceb95741cf3c8c82948020977ccde445f5da8f6d7de431b9be5d39d8c96c8

    Download Submit

  • memory/2376-0-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2376-18-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2648-27-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-29-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-24-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-25-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-26-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-19-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-28-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-23-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-30-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-31-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-32-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-36-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2648-37-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download