Overview

overview

7

Static

static

3

7ee6c89d7b...0b.exe

windows7-x64

7

7ee6c89d7b...0b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    29/01/2024, 04:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ee6c89d7b7f59cacfa7a75cca87730b.exe

  • Size

    68KB

  • MD5

    7ee6c89d7b7f59cacfa7a75cca87730b

  • SHA1

    b0b23e8e3ab99beba099c4bcbadbedcc1485d79b

  • SHA256

    efb043386da18742723e97ccdaefe94bcb4d345fcc0fe95929d35197746bc790

  • SHA512

    c8ca7f0fcf91861f25a56e162732644ca91d6f131655fc455583f2e6a64e6df792155c8c9e1bfcd775d7f2a19aeda8b6f8b06a699c052a9600f10ff5b06ba389

  • SSDEEP

    1536:WgHFtI/kpwbv+eWKDZ3+ZFnJrvtCSyzNDAKUT9X:p+DCZKRWFnxvtCQTx

Score
7/10
persistenceupx

Malware Config

Signatures

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ee6c89d7b7f59cacfa7a75cca87730b.exe
    "C:\Users\Admin\AppData\Local\Temp\7ee6c89d7b7f59cacfa7a75cca87730b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Local\Temp\7ee6c89d7b7f59cacfa7a75cca87730b.exe
      C:\Users\Admin\AppData\Local\Temp\7ee6c89d7b7f59cacfa7a75cca87730b.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\Temp\7ee6c89d7b7f59cacfa7a75cca87730b.exe" C:\Windows\system32\
        3⤵
        • Drops file in System32 directory
        PID:2192
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del /Q /F C:\Windows\temp\7ee6c89d7b7f59cacfa7a75cca87730b.exe
        3⤵
          PID:1760
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v mssysif /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:944
          • C:\Windows\SysWOW64\reg.exe
            C:\Windows\system32\reg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v mssysif /f
            4⤵
              PID:1028
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v mssysif /d "C:\Windows\system32\7ee6c89d7b7f59cacfa7a75cca87730b.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1540
            • C:\Windows\SysWOW64\reg.exe
              C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v mssysif /d "C:\Windows\system32\7ee6c89d7b7f59cacfa7a75cca87730b.exe"
              4⤵
              • Adds Run key to start application
              PID:1264
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c type "C:\Windows\Tasks\1372180767-0020"
            3⤵
              PID:2528
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c type "C:\Windows\Tasks\1372180767-0020"
              3⤵
                PID:2804

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1868-6-0x0000000013140000-0x0000000013158000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2988-0-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/2988-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2988-4-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/2988-7-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/2988-8-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/2988-9-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

            Download