Overview

overview

8

Static

static

3

7c6228390c...68.exe

windows7-x64

8

7c6228390c...68.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 06:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c6228390ccb263c0c26de0740011c68.exe

  • Size

    1.2MB

  • MD5

    7c6228390ccb263c0c26de0740011c68

  • SHA1

    c1a836b55a94cffecafaaebdae8fab3ac631ffd4

  • SHA256

    6415fc879f0fff1c596c4d57b48e6474ce2f5073994c41a56a3bb32b069d5406

  • SHA512

    ed454ffa7cbf794de83d8b76cbbce9c4f78fb025c5fa93fc1a74656545b3d2f6d96ffede42644ef52b5db730cecfa0a6b15ec7c2fb3662650f6cd63a1bf13dc1

  • SSDEEP

    24576:6FszWS5VAX5eVG4VvtQ3gYUEBWwCD8MSHirZPvpvnty7CM/YXBXP:6RJeVGwVQ9UEBt8qHuPFnty4XB/

Score
8/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c6228390ccb263c0c26de0740011c68.exe
    "C:\Users\Admin\AppData\Local\Temp\7c6228390ccb263c0c26de0740011c68.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Users\Admin\AppData\Roaming\mIRC\DriverUpdate.exe
      "C:\Users\Admin\AppData\Roaming\mIRC\DriverUpdate.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\System32\netsh.exe" firewall set opmode disable
        3⤵
        • Modifies Windows Firewall
        PID:4332
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\mIRC\RegKeys.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKEY_CURRENT_USER\Software\mIRC\License /v "" /t REG_SZ /d "3546-331847" /f
          4⤵
            PID:4004
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKEY_CURRENT_USER\Software\mIRC\UserName /v "" /t REG_SZ /d "cCTeam" /f
            4⤵
              PID:4528
          • C:\Users\Admin\AppData\Roaming\mIRC\mircdriver.exe
            "C:\Users\Admin\AppData\Roaming\mIRC\mircdriver.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3948
            • C:\Windows\SysWOW64\regedit.exe
              "C:\Windows\System32\regedit.exe" /s e71.Reg
              4⤵
              • Adds Run key to start application
              • Runs .reg file with regedit
              PID:1760
          • C:\Windows\SysWOW64\taskkill.exe
            "C:\Windows\System32\taskkill.exe" /F /IM VCSPAWN.EXE /T
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1676

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\mIRC\DriverUpdate.exe
        Filesize

        141KB

        MD5

        5dd6ccd04f1eaa5c5f0da6e217177bde

        SHA1

        12f633cff05b0d416847d8ffc45bf7ee7dbc9845

        SHA256

        e31626a8355904ad407d26eca3c8f5a4da3ae2ad1325206ca0682997bba42c35

        SHA512

        319db827687aa71a1d124ca541945a37eb894423525801def0bbb2489fec6028458d263334893358261d81acde3b4ece7d945ac6ac3d75c8586f133b2e26cde3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mIRC\RegKeys.bat
        Filesize

        258B

        MD5

        b64fc7a806682ecaddab683d501334d9

        SHA1

        7bed28defe3805939d155dfce4d181826d3f800a

        SHA256

        4a9c34e042e7271d28d17ee9804c44dc460a1293811ce5b38d427bae7aca826f

        SHA512

        a166d3a735b92447fc678ad5ca40ef18889443591f4ae1f8dc13ad90c83288099d313b7ef70edc69d4742c1701897e858ed0f5b10a4de88907f01835b1b6e2d5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mIRC\e71.Reg
        Filesize

        154B

        MD5

        c9519207d73851a93f9e966fc006c678

        SHA1

        743cc974294350be2ae36ec6b2a75e94a1bca9c3

        SHA256

        78eb201fc88feb9eaf6528e4b34933e1ca323b7bfc7c6cfe51cc37f6c0bbe645

        SHA512

        03c33e042bdf359d8e0d88c7205dab2b102205ae820ab86bf240d70f66d6ec85fed80e038124e73fd3ecf324a41d37ea918fd8a4ca2db1e381e3108c29392703

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mIRC\mirc.ini
        Filesize

        4KB

        MD5

        16cfdc4936e85c680427ec70f2158532

        SHA1

        07b3e6bb11f1ddd8f5406f3dd7298f904be161e1

        SHA256

        49e2a4a5687f64143f452e0cc04c34925a1d3c37b6663a172392dd9aa0cded5b

        SHA512

        7d1f48123c4832a59000280fa8d74bdd162a8b4495c0b4abe199693a3e8404c440f091118222a6ec2fd17f68df5617e8d013ea408644860ab4294413ae8c7f8e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mIRC\mircdriver.exe
        Filesize

        1.2MB

        MD5

        22d180b0d0d10891a072d6a88d284a80

        SHA1

        f9064ceea86130bad969b2be7ecf7f850cc2a3dc

        SHA256

        f819611014ef669bc206aa9d0113be30547f14642e0dcf5c549019e9fad5068a

        SHA512

        220a682772b45fd746aebbb2c48a105576ef44a8ed198d1bd2d04fed556f9b88d7a787a505065f16fe250f2eb115ec3a62188466182961ba0ecd24ee695a3ea4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mIRC\system.mrc
        Filesize

        16KB

        MD5

        cd348982b158831ea8a26f2293a5ed8e

        SHA1

        17d2eb7f8ae97b21dc97abd3a03c669a19730b20

        SHA256

        6e0024954716eb9a5f77924664137168f38628603b681d08a8eed7dded929978

        SHA512

        a5dcdec0236e75063edc0d051c646b80f7f912268bf1f345788adae5ae4ad10b991a2c9a44bda910152fdf3ba4ac5d58ce838c4429a9593e5e51061f09bad307

        Download Submit

      • memory/3948-71-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-93-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-53-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-61-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-22-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-77-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-85-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-47-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-103-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-109-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-117-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-125-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-133-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-141-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3948-149-0x0000000000130000-0x0000000000627000-memory.dmp

        Filesize

        5.0MB

        Download