Overview

overview

8

Static

static

7

7ab8a9ca2e...8c.exe

windows7-x64

8

7ab8a9ca2e...8c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    86s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2024 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ab8a9ca2e3b444553a9d68efae8408c.exe

  • Size

    34KB

  • MD5

    7ab8a9ca2e3b444553a9d68efae8408c

  • SHA1

    16d7c7cd93c62fbf1db63debabf301e3f6396a3d

  • SHA256

    6a9ec3ae49dfab6ea45e73634dafd30ed07c8e637722821a1aa699b0d3f4ce0b

  • SHA512

    c9ea4659d1d05c7155f84e35accbd32fde35788d20035d6ccb3426e451439f2167c9640689c31491a3483b4662890c3e085f015c921c0979a41a2cbbfcae0d92

  • SSDEEP

    768:ZVd51InrypdFX6fxp8QVCd1YiiuzAD+/CGqcq45aJIZEinmQwJ7:VaoWNY1YixzgQ6IDF67

Score
8/10
evasionupx

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 8 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ab8a9ca2e3b444553a9d68efae8408c.exe
    "C:\Users\Admin\AppData\Local\Temp\7ab8a9ca2e3b444553a9d68efae8408c.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\SysWOW64\net.exe
      net stop cryptsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4240
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop cryptsvc
        3⤵
          PID:3572
      • C:\Windows\SysWOW64\sc.exe
        sc config cryptsvc start= disabled
        2⤵
        • Launches sc.exe
        PID:2036
      • C:\Windows\SysWOW64\sc.exe
        sc delete cryptsvc
        2⤵
        • Launches sc.exe
        PID:3360
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Users\Admin\AppData\Local\Temp\1706372935.dat, ServerMain c:\users\admin\appdata\local\temp\7ab8a9ca2e3b444553a9d68efae8408c.exe
        2⤵
        • Deletes itself
        • Loads dropped DLL
        PID:1996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\sysapp1.dll
      Filesize

      34KB

      MD5

      86053734fb9de74fd76415518e35623b

      SHA1

      910f83249debeda7b456d891c9ab85393f917163

      SHA256

      7f25278e38164beb60ae88017c211b9f04c03bc9ae894da03d44d404bb1209d9

      SHA512

      224f23ce6e4507ba84b3997be7e4ddd1f593975d18736822c6852a8f3c78f1f1ace1c0f1644f4f88fcd6d44fe327d23b72a3cc39292494f5f0c5c40ad1ebffc5

      Download Submit

    • memory/1332-0-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1332-10-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download