Overview

overview

10

Static

static

1

7a238546ba...3f.exe

windows7-x64

10

7a238546ba...3f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2024, 11:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7a238546ba438a42789cf5d6bd08a03f.exe

  • Size

    284KB

  • MD5

    7a238546ba438a42789cf5d6bd08a03f

  • SHA1

    1bb68ee98e317203f4df9b2195533350f58cd0be

  • SHA256

    162d39f277d19f7692d6b420640502debe9327573bdc1d8402d127d94bd98e69

  • SHA512

    be80c3fce348b918dfae6788725869204d4b1d4511b1dded700fa0abd09e88997daa1e968569a7edb42cb648841da6bc9149c6d6ffae9e62b0cf5f4050684977

  • SSDEEP

    3072:ztM6vm1mgc3EPAJjCE/o2LA4qcw5bGIT5eNXy:5E1mgc3EPAJ2L0qZbGINely

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a238546ba438a42789cf5d6bd08a03f.exe
    "C:\Users\Admin\AppData\Local\Temp\7a238546ba438a42789cf5d6bd08a03f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      2⤵
        PID:4932
      • C:\Users\Admin\AppData\Local\Temp\7a238546ba438a42789cf5d6bd08a03f.exe
        2⤵
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Users\Admin\E696D64614\winlogon.exe
          "C:\Users\Admin\E696D64614\winlogon.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4072
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\\svchost.exe
            4⤵
              PID:1808
            • C:\Users\Admin\E696D64614\winlogon.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:384
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:1428
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 12
                  6⤵
                  • Program crash
                  PID:724
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:1856
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 12
                  6⤵
                  • Program crash
                  PID:4436
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:2076
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 12
                  6⤵
                  • Program crash
                  PID:4172
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:4428
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 12
                  6⤵
                  • Program crash
                  PID:4716
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:3464
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 12
                  6⤵
                  • Program crash
                  PID:4028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 1428
        1⤵
          PID:3084
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1856 -ip 1856
          1⤵
            PID:3240
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2076 -ip 2076
            1⤵
              PID:4292
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4428 -ip 4428
              1⤵
                PID:2404
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3464 -ip 3464
                1⤵
                  PID:560

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\E696D64614\winlogon.exe
                        Filesize

                        284KB

                        MD5

                        7a238546ba438a42789cf5d6bd08a03f

                        SHA1

                        1bb68ee98e317203f4df9b2195533350f58cd0be

                        SHA256

                        162d39f277d19f7692d6b420640502debe9327573bdc1d8402d127d94bd98e69

                        SHA512

                        be80c3fce348b918dfae6788725869204d4b1d4511b1dded700fa0abd09e88997daa1e968569a7edb42cb648841da6bc9149c6d6ffae9e62b0cf5f4050684977

                        Download Submit

                      • memory/384-52-0x0000000000400000-0x0000000000419000-memory.dmp

                        Filesize

                        100KB

                        Download

                      • memory/384-46-0x0000000000400000-0x0000000000419000-memory.dmp

                        Filesize

                        100KB

                        Download

                      • memory/384-40-0x0000000000400000-0x0000000000419000-memory.dmp

                        Filesize

                        100KB

                        Download

                      • memory/384-34-0x0000000000400000-0x0000000000419000-memory.dmp

                        Filesize

                        100KB

                        Download

                      • memory/384-28-0x0000000000400000-0x0000000000419000-memory.dmp

                        Filesize

                        100KB

                        Download

                      • memory/2068-4-0x0000000000400000-0x0000000000419000-memory.dmp

                        Filesize

                        100KB

                        Download

                      • memory/2068-15-0x0000000000400000-0x0000000000419000-memory.dmp

                        Filesize

                        100KB

                        Download

                      • memory/2068-0-0x0000000000400000-0x0000000000419000-memory.dmp

                        Filesize

                        100KB

                        Download

                      • memory/2068-3-0x0000000000400000-0x0000000000419000-memory.dmp

                        Filesize

                        100KB

                        Download

                      • memory/4032-2-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                        Download

                      • memory/4072-20-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                        Download