Overview

overview

8

Static

static

7

7af61037f9...f9.exe

windows7-x64

8

7af61037f9...f9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2024, 18:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7af61037f9e4ab6f14e38892d883aef9.exe

  • Size

    10KB

  • MD5

    7af61037f9e4ab6f14e38892d883aef9

  • SHA1

    31b1c4930f1bdd75e928af2e30b1bc8cfcc3c684

  • SHA256

    2f4148751d2ea405d1fc7506ee8e3fb82e1c3ab3e7d3ce38eabaee14e285b28a

  • SHA512

    aac3670b661f1f7e147759e65c34239c55d5bb81e7a5ca1fcd8fc1b83d6e2a0a6fdb2a72bab72d1db3a720e75c9201837a1edf25bed2a90eab33748c7930348e

  • SSDEEP

    192:CZuqGusNGjZQYi1k94uRtIxhNIlSYawooHPTitNpJB7+:CZFG0jL4qt/SYawooUNpL+

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7af61037f9e4ab6f14e38892d883aef9.exe
    "C:\Users\Admin\AppData\Local\Temp\7af61037f9e4ab6f14e38892d883aef9.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\SysWOW64\qoemslk.exe
      C:\Windows\system32\qoemslk.exe ˜‰
      2⤵
      • Executes dropped EXE
      PID:2596
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\7af61037f9e4ab6f14e38892d883aef9.exe.bat
      2⤵
        PID:228

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7af61037f9e4ab6f14e38892d883aef9.exe.bat
      Filesize

      182B

      MD5

      79179f4c692ee6381704f9d7919989b6

      SHA1

      b596e6e4c3de5ac54c18737a8ccfa4ea7cd295cc

      SHA256

      0b75317c707372855676cd9c95091e5046a7d50692413cc1a5e81e9845afb71a

      SHA512

      3c2c7397e39ad4adcb1929e28bf6cd3115a930426fb43019c2d9f031bb24d7eec582276862a45cb268cab3257754a7f0a4bcbd8b22f78f660e26057635578429

      Download Submit

    • C:\Windows\SysWOW64\qoemslk.exe
      Filesize

      10KB

      MD5

      7af61037f9e4ab6f14e38892d883aef9

      SHA1

      31b1c4930f1bdd75e928af2e30b1bc8cfcc3c684

      SHA256

      2f4148751d2ea405d1fc7506ee8e3fb82e1c3ab3e7d3ce38eabaee14e285b28a

      SHA512

      aac3670b661f1f7e147759e65c34239c55d5bb81e7a5ca1fcd8fc1b83d6e2a0a6fdb2a72bab72d1db3a720e75c9201837a1edf25bed2a90eab33748c7930348e

      Download Submit

    • memory/2384-0-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2384-9-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2596-6-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download