Overview

overview

10

Static

static

3

6801b83557...c6.exe

windows7-x64

10

6801b83557...c6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 15:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6801b835572c1736b2aeb6e55b7c88c6.exe

  • Size

    54KB

  • MD5

    6801b835572c1736b2aeb6e55b7c88c6

  • SHA1

    9ff46580d7d9258f8c10766c288ad355ea4398bc

  • SHA256

    3e24b23721c3655a5148eaf5ff23e398730e9f270307d14d5452f165732a5054

  • SHA512

    152b4bcf5b8f4a72a76dbda2c997e38a58827a8edb9e031e750b8d2d2553a600d3b00091cbf37af1b27b3222fa7a68e971b5d6829c06d5167cc95da1aa47d807

  • SSDEEP

    1536:6vQqZwQUxtwILj8zMs/jtI7iG43yf6KpVi:6xwhxZLwzM1YyfRVi

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6801b835572c1736b2aeb6e55b7c88c6.exe
    "C:\Users\Admin\AppData\Local\Temp\6801b835572c1736b2aeb6e55b7c88c6.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Windows\SVCH0ST.exe
      C:\Windows\SVCH0ST.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SVCH0ST.exe
    Filesize

    54KB

    MD5

    6801b835572c1736b2aeb6e55b7c88c6

    SHA1

    9ff46580d7d9258f8c10766c288ad355ea4398bc

    SHA256

    3e24b23721c3655a5148eaf5ff23e398730e9f270307d14d5452f165732a5054

    SHA512

    152b4bcf5b8f4a72a76dbda2c997e38a58827a8edb9e031e750b8d2d2553a600d3b00091cbf37af1b27b3222fa7a68e971b5d6829c06d5167cc95da1aa47d807

    Download Submit

  • C:\Windows\SVCH0ST.exe
    Filesize

    23KB

    MD5

    ae731297b509d6fbdacb1928e486d922

    SHA1

    e5802e534a3545857380843c53ab825f4b1b3fee

    SHA256

    8e4449416908c8534511ab689ace1085491c4771fe81003856a5a50f6a51fab5

    SHA512

    1ce9208adb32e5c08600e3dd82827351d2e26fbdbea9eda97373c11023f462208dcf84439a04c4101ad25cde6fbca8a8a26ec9177a135362e037fcad9dc48dfc

    Download Submit

  • C:\Windows\lsas.bmp
    Filesize

    20KB

    MD5

    d1a192350cff8cf330946dee8d633b2d

    SHA1

    7d6a4f11603b8e7189285900b5ad208ac4243798

    SHA256

    ca090e9354ca8f5e07055d65b0c42912bf938a29fb0e0f922594eb5a55ec48c4

    SHA512

    bfab16512e2ff0e370f42085c2c5837d51f0aba6db1323ebbe562d4b0208c261ba90e26e2cad9de92ae35cf302e86fa14270f38bd72ddbc879385681efb8f05f

    Download Submit

  • memory/1216-18-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-22-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-12-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-14-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-16-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-10-0x0000000002370000-0x0000000002387000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1216-20-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-38-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-24-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-26-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-28-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-30-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-32-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-34-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1216-36-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/5020-11-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download