Overview

overview

10

Static

static

3

2024-01-18...ia.exe

windows7-x64

10

2024-01-18...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2024 22:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe

  • Size

    119KB

  • MD5

    1ef0c1c293aad89a4d3a2ffb5fec9609

  • SHA1

    787a3344358255291873835d2102f7f8955030bf

  • SHA256

    6d4eaa00386f7e31da0e5e38a6da9ab963f425b39b8d207cc429e95b0c0514cc

  • SHA512

    5b70e340c9743aac6f45d034f0d2dc06c891a68dd5879b45cef5f8e3ca1f139e67df725a88f8981e0a65853f923a0db3022417dbbd692b585375f72d13267ae3

  • SSDEEP

    1536:eUZcxmcd+mmyR9IrpDsp9eoWF9d+xztu+qHPb4pqqnAFQONXsrJgFy0qW+zVau1:eUrcDmOIrysoWFnauHD4trJgFyzau1

Score
10/10
evasiontrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Detects executables calling ClearMyTracksByProcess 1 IoCs
  • UPX dump on OEP (original entry point) 3 IoCs
  • Downloads MZ/PE file
  • Modifies RDP port number used by Windows 1 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-18_1ef0c1c293aad89a4d3a2ffb5fec9609_mafia.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Users\Public\Documents\PbiBqPr\molU7.exe
      "C:\Users\Public\Documents\PbiBqPr\molU7.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1112
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo.>c:\xxxx.ini
        3⤵
          PID:3768
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1608
        2⤵
        • Program crash
        PID:3408
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3156 -ip 3156
      1⤵
        PID:380

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Xshell 6 Update Log.txt
        Filesize

        346B

        MD5

        7384c7127b5371601b7ba713bdc991f0

        SHA1

        09caf4d5ab727e4ccb4378d9b04356160987fc7f

        SHA256

        f8e7b53413852cd17a00036897b1e3851a759d163e4e8d3820d70e130ffb3170

        SHA512

        43fa07eb863fba7e731bf89e36318f4ad47d408e0f9856132fefe8f11508967f3db9a5c34e57fb8d80ad39e91f64c03bc8b6463cdf128c4128fb6d587d91b8be

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG
        Filesize

        36KB

        MD5

        05a6b5e6f8f3c239a9669dcc693e9b83

        SHA1

        194ff18e37d56b8d988cd60bb9f0e94bbb23e767

        SHA256

        1bfa036a09bad94fc4b9ce956c13628987f4e390a5f88d64a47f44941aa31692

        SHA512

        0464644346aecc20a35c0ede49bd8e4484314941894553ed728f12c1005b5a01a222b18af396da9675c8183bf8935765ea59a03cacbeb71138270998f9f4c7cb

        Download Submit

      • C:\Users\Public\Documents\PbiBqPr\edge.jpg
        Filesize

        356KB

        MD5

        70cc433484f32b8995c5c8b5d6cf416c

        SHA1

        6317d420c33b194ab6273e3cfd3a59b0e6b1761a

        SHA256

        db0604908604e6cba37a484cefa587284a5d307f9d3774bda1a27ca3aebac0f4

        SHA512

        e4ee6f08c041ea0b932696407c7d59e1ba6303ff72efdd47046be4bec628ba446fd8e9f3f74356b6351e8b14981017f02c79b731ec6821657fd862f31f535d58

        Download Submit

      • C:\Users\Public\Documents\PbiBqPr\edge.xml
        Filesize

        78KB

        MD5

        50119b0feebfe95d24a8c88b0534f77a

        SHA1

        f6cc63e8b1bea744c1bdbc7f1244a30905c0248f

        SHA256

        fad82d37a447c1d8894eb55153cf25ea37b95d7832f9c925e158ddc1f818c5bd

        SHA512

        24de58488991c029d4ad78118d0e54ff4ceb40503abe01b459968672a49a17d267a091b5db497ac814e5060ba2941f553376f1707ed2995ec1eb37362bc52811

        Download Submit

      • C:\Users\Public\Documents\PbiBqPr\molU7.dat
        Filesize

        129KB

        MD5

        662f1e804666857918eb624dd7836fb7

        SHA1

        2742fa5301ca121f608a9dc5c2aab2f74c27c378

        SHA256

        29e51b0d493bc855caf29dcf98a71e8b88ca9636809f06a08fe96496ae633c0e

        SHA512

        d5a7ba70c86217c17aab0eb81e88bb4a07f703c29cb149f8d04ccfc798af76ea2ab0f8b78c7bbbc49fca46390bfbfcc2ec678eda5df791155da4c519ab0977c9

        Download Submit

      • C:\Users\Public\Documents\PbiBqPr\molU7.exe
        Filesize

        476KB

        MD5

        353bc0b9572805670b081276fb7c72a0

        SHA1

        4f069bf1912957b69c3da23b60b0154d18890cc9

        SHA256

        0db8d3af24f42abf43882207b85811d7fe4a4dde66dd3aacd186c035e0527b4e

        SHA512

        11ec5afa75c7fe68d62f8df460fef1743f9f2b18a76ee8c2f1d5b23fc173b03888ca85d0f8f485d735d5c2d5ea9e01dd4e2104bc99f071c0158fdceac0bbe0ab

        Download Submit

      • memory/1112-24-0x0000000000400000-0x000000000053F000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1112-48-0x00000000037A0000-0x00000000037B7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1112-50-0x0000000010000000-0x0000000010061000-memory.dmp

        Filesize

        388KB

        Download

      • memory/1112-46-0x0000000003450000-0x0000000003451000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1112-65-0x0000000000400000-0x000000000053F000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1112-67-0x00000000037A0000-0x00000000037B7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/3156-2-0x0000000010000000-0x0000000010018000-memory.dmp

        Filesize

        96KB

        Download