Overview

overview

7

Static

static

3

638957e361...47.exe

windows7-x64

7

638957e361...47.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2024, 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    638957e361adc27c5bdceabf226ed647.exe

  • Size

    346KB

  • MD5

    638957e361adc27c5bdceabf226ed647

  • SHA1

    d055289554f9ef1c06face06155183a1b5aa42cc

  • SHA256

    82ba25d1ba7b4159de61d80789de0244241f78e70a8257d6fae20af138bd3925

  • SHA512

    e5d718c4bb675d92f47a59d184507cc710d7aa35ce04911601289dafaed2ca6ad7099a573542fff6b7e3053b052fb49120c65d542e93f91253bf30f7209b633c

  • SSDEEP

    6144:wM4bfTnPPlznuRO2aGvBA7T9s/+R0/KptnfKCIekxSiecTdh/W:wM4bfDlzntYBoTTztnfKtsDcZ9W

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\638957e361adc27c5bdceabf226ed647.exe
    "C:\Users\Admin\AppData\Local\Temp\638957e361adc27c5bdceabf226ed647.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im 360safe.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im 360safe.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im 360tray.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im 360tray.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2544
    • C:\Windows\SysWOW64\abc140.exe
      "C:\Windows\System32\abc140.exe"
      2⤵
      • Executes dropped EXE
      PID:2456
    • C:\Windows\SysWOW64\abc150.exe
      "C:\Windows\System32\abc150.exe"
      2⤵
      • Executes dropped EXE
      PID:1632
    • C:\Windows\SysWOW64\abc160.exe
      "C:\Windows\System32\abc160.exe"
      2⤵
      • Executes dropped EXE
      PID:1236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\abc140.exe
    Filesize

    247KB

    MD5

    640fe35061893062ffa6b3e19f39439e

    SHA1

    a58811392b1a4a3d9ce8ddd843ce656fd05e2f43

    SHA256

    e1d477c71df48d2f64124e5fe6f9bc3499f99ed88992156f14f212cc8b3b20cc

    SHA512

    9eb718fcb260ec48ad3e62faa8ace74a7e698d2770430474101c42dffc559fff6ccb99a60768ed85901042d5be3c63fbd46bc2f37563e2e7f54cdf30aaa313f7

    Download Submit

  • \Windows\SysWOW64\abc150.exe
    Filesize

    315KB

    MD5

    92d896344f35b87c6ba84700345c0bbd

    SHA1

    e0252af51704a5cd21cd89596d1965ee1af6a446

    SHA256

    e77a74e60cd55a4b8d364f423b8700dee403a78aefbd196b59893e07d4c9acc4

    SHA512

    b92db998b23505461724713ac1d8b3acbf22eb8c0588f59e5c37665be0a145e9f5f5a61931ab94a9c5a89548312de96422318ede49746c1ee6b7734b002caa98

    Download Submit

  • \Windows\SysWOW64\abc160.exe
    Filesize

    247KB

    MD5

    218d29ae348cca7cff2c383bcff0d889

    SHA1

    82a4727425748041864d17962d13b96d47ba8e92

    SHA256

    f62913310f21c8666f0e51371267769bb6906c784db90aac864777c45ccb0877

    SHA512

    af1c8b5f770647210ef6f6de6fc29c27ae42f4cff1220d3f1612eecc337f8c25d03c88803a9ead0c5cf26bdcfbc892d95f8bd41b2bb38f0d6ba9b71916873b24

    Download Submit

  • memory/1236-39-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/1236-37-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/1632-29-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/1632-28-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/1632-27-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/1632-25-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/2384-9-0x0000000003880000-0x0000000003890000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2384-16-0x0000000003880000-0x0000000003915000-memory.dmp

    Filesize

    596KB

    Download

  • memory/2384-15-0x0000000003880000-0x0000000003890000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2384-0-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2384-11-0x0000000003880000-0x0000000003915000-memory.dmp

    Filesize

    596KB

    Download

  • memory/2384-1-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2384-40-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2456-17-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/2456-14-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/2456-13-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/2456-12-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download