Overview

overview

8

Static

static

7

58b2858fdb...da.exe

windows7-x64

8

58b2858fdb...da.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    163s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2024, 10:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    58b2858fdbda4ec08d3929c12a74b0da.exe

  • Size

    64KB

  • MD5

    58b2858fdbda4ec08d3929c12a74b0da

  • SHA1

    a36b66bc6f3cdbf0b024e340115f4b74527a458f

  • SHA256

    576aeeabf41fca19877fae09bae568357041c9e7a0a42fa9889243be3fb3edcc

  • SHA512

    414182fe9cddb874a402535b1d2a670843466da3d9c28c22e9b155228468d3d4af8d2a29c21c4565388484560131d04d82a4e3e33eab9ac6124106a88a3bf208

  • SSDEEP

    768:ae2mxDMm+STZ5UW0Z080t0M0+4ZfucVI4la7kYw4JUM3i/EhWoyiSq:txft5aucVI4la4YJUM3XhWoyG

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Manipulates Digital Signatures 1 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58b2858fdbda4ec08d3929c12a74b0da.exe
    "C:\Users\Admin\AppData\Local\Temp\58b2858fdbda4ec08d3929c12a74b0da.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:260
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8563f46f8,0x7ff8563f4708,0x7ff8563f4718
        3⤵
          PID:4656
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
          3⤵
            PID:2312
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4748
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
            3⤵
              PID:3828
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
              3⤵
                PID:1360
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                3⤵
                  PID:4436
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
                  3⤵
                    PID:5204
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
                    3⤵
                      PID:5360
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
                      3⤵
                        PID:5352
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:8
                        3⤵
                          PID:5484
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:8
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5500
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
                          3⤵
                            PID:5688
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
                            3⤵
                              PID:5696
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
                              3⤵
                                PID:5972
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
                                3⤵
                                  PID:4564
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14590318672725562527,12054355884612502934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
                                  3⤵
                                    PID:4936
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/
                                  2⤵
                                    PID:5932
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8563f46f8,0x7ff8563f4708,0x7ff8563f4718
                                      3⤵
                                        PID:5944
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:4428
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:2956

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              84381d71cf667d9a138ea03b3283aea5

                                              SHA1

                                              33dfc8a32806beaaafaec25850b217c856ce6c7b

                                              SHA256

                                              32dd52cc3142b6e758bd60adead81925515b31581437472d1f61bdeda24d5424

                                              SHA512

                                              469bfac06152c8b0a82de28e01f7ed36dc27427205830100b1416b7cd8d481f5c4369e2ba89ef1fdd932aaf17289a8e4ede303393feab25afc1158cb931d23a3

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                              Filesize

                                              111B

                                              MD5

                                              285252a2f6327d41eab203dc2f402c67

                                              SHA1

                                              acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                              SHA256

                                              5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                              SHA512

                                              11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              5KB

                                              MD5

                                              683335eef63aad9c397e78975bb0dbc1

                                              SHA1

                                              24270a256b349f7f2abd047422d9ad412f64c975

                                              SHA256

                                              ceb31eb395aa0f33063b9b110b08471818d216fc2e815c66c000483848b4d84e

                                              SHA512

                                              b8db0a229cce0f62712b595b7b8f4328d051fce102c39a24a3dac45e9a321d8f4d664d826197b5d6cd04485fcf48b17ee617e6befb9bb352ba99f5aa26be9a1a

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              5KB

                                              MD5

                                              f6b9eb3834b9495941dec45e2d826158

                                              SHA1

                                              00a6cde0c2c028855e1bb1cd20ce9b97cc9f8aea

                                              SHA256

                                              a2ae5d4c2065398fbccfbd2b475cb911189feedafde24215681c5132f559d9ad

                                              SHA512

                                              f5b8b726bab1f45f3237ca41e9fdddd25b3d0bc114c72a3ce3eef7261b683746d11ad651157ffa04934a119c65ffc0af4ed9f01b5b3b742b7f66fde69a941669

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              6KB

                                              MD5

                                              de8355c94c7c7a402455b97e15b1fec6

                                              SHA1

                                              dbc55922a624c08d9709ad7b38793186af3431ae

                                              SHA256

                                              4ac975265417d415546a11765ad86d0ae6597fadba4b5b25e28210cdf4424046

                                              SHA512

                                              f6e707ee9e459f69ca1f429db272f61e9b71c1080c8d703fc961b2c7e1a010a6bdcdd8156221402b7d374b31a162da7ee93763439bd48a534b49dd08164400e3

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                              Filesize

                                              24KB

                                              MD5

                                              35f77ec6332f541cd8469e0d77af0959

                                              SHA1

                                              abaec73284cee460025c6fcbe3b4d9b6c00f628c

                                              SHA256

                                              f0be4c5c99b216083bd9ee878f355e1aa508f94feb14aeebcfba4648d85563a7

                                              SHA512

                                              e0497dbe48503ebbf6a3c9d188b9637f80bccf9611a9e663d9e4493912d398c6b2a9eab3f506e5b524b3dabbca7bb5a88f882a117b03a3b39f43f291b59870c8

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              6752a1d65b201c13b62ea44016eb221f

                                              SHA1

                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                              SHA256

                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                              SHA512

                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                              Filesize

                                              12KB

                                              MD5

                                              df53c82a86dcc97ea720f25b5ea2c683

                                              SHA1

                                              e465be8a047d692e384767baa1edcdd0ddf4ea03

                                              SHA256

                                              eee137d2645aa67833987afb2ff62a0ccdef328483e82d2bb87c26d3f98c1af4

                                              SHA512

                                              b4f6ff4173fc58eb932da51e60572d6903e21ed419b278929f9f96c8d1b8b7a116a9eb7b4ed2cb528860bd8c874293d20b1a79541000a0fdd7b0871b7394df7d

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f6ff03eb-4a22-4d5c-8136-08742285b574.tmp
                                              Filesize

                                              11KB

                                              MD5

                                              669cd088460328a9682e4c6e51ebd642

                                              SHA1

                                              601dff3ac335ad0ba8b4c7fa587bba98693dc970

                                              SHA256

                                              801285df00c17445f104e5d1d43871212dbe2666470c3a8419ff7f2e48ac0555

                                              SHA512

                                              2e83a69cd70fb524715005c7e7ab5d2e5727b0c8b7118c58a699624a4115fd8fdc200f07d639811edade62be90b3d803ab8b623a7c0d35d12fb64d5ac2b767bd

                                              Download Submit

                                            • C:\Windows\setupact.log
                                              Filesize

                                              28KB

                                              MD5

                                              65a2711502a468a55fe080af0e98ce34

                                              SHA1

                                              08595264a358645553ab3fe6c11b0a2aadf34778

                                              SHA256

                                              3381947f755c91ac827bcd3b803926ea47e2c65f6cabac2ea3e2f48a8a5eb94f

                                              SHA512

                                              40c82833aee72a983f848cc4cd90f5325d3249e492f07ed0b9db4f4d4a4e47343df5d5971a08efd72ae92299b36599ebacddb6a595655dbf2f89f2f4e2994578

                                              Download Submit

                                            • C:\exc.exe
                                              Filesize

                                              36KB

                                              MD5

                                              615141291cf52b71391835fd37d40e75

                                              SHA1

                                              5984679b33a5e3edefbf788d96762dd0a45da53f

                                              SHA256

                                              2c0e0cd3e5808f92d594058794fa75ce33843bd7d22ec7a2180600ff1ae967d1

                                              SHA512

                                              e5eecda001683f7b6e47932a1eab25ebc4f0ba821d87ac1d679e19381436de04d82bcced64f28d9c376336e414ca40d1fcf0bc7dd4e8978249cfc38f87262490

                                              Download Submit

                                            • memory/260-553-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/260-110-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/260-23-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/260-25-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/260-0-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/260-9-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/260-985-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/260-308-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/260-111-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download