Overview

overview

8

Static

static

3

7f1c642aca...6e.exe

windows7-x64

8

7f1c642aca...6e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/01/2024, 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f1c642acab076d5037e1ed13894a76e.exe

  • Size

    174KB

  • MD5

    7f1c642acab076d5037e1ed13894a76e

  • SHA1

    f8f0ec494d03109c1c02ca348a3d4e084d97ba8f

  • SHA256

    83c15060c5dc1eee040a8e40ac0a81fb07614129e8466c78ecf25bc2de056ef3

  • SHA512

    8016484fb5663c16f3a39b13bfe7516573f41bcac8328ca9dc5a634cd6b21ec371e18e2633cac31703a9db7de2ca97aa3cf88e0a137667ea6cbf5f4dd9ca9d00

  • SSDEEP

    3072:/YbrVGnnewJdmcvrQ8z/fT+8MI40j1kRbqV8DBLlS9plzdktpLitNZ+:/Yb5Gne2dmcvrhi8Mt0qqSS9pZwpGn8

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies WinLogon 2 TTPs 7 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f1c642acab076d5037e1ed13894a76e.exe
    "C:\Users\Admin\AppData\Local\Temp\7f1c642acab076d5037e1ed13894a76e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\SysWOW64\catsddem.exe
      C:\Windows\system32\catsddem.exe C:\Windows\system32\mspmtwnl.dll
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies WinLogon
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1244
    • C:\Users\Admin\AppData\Local\Temp\~38EB.tmp
      C:\Users\Admin\AppData\Local\Temp\~38EB.tmp C:\Users\Admin\AppData\Local\Temp\7F1C64~1.EXE
      2⤵
      • Deletes itself
      • Executes dropped EXE
      PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\mspmtwnl.dll
    Filesize

    152KB

    MD5

    b993f241ec4b01319ee5020d9e747533

    SHA1

    19fd0dfd6de50c1435e4b8d30a0029e875cbfdfa

    SHA256

    8bcf68eb3061d328353d70c636665338ea22efa37a4a64bab356d470fd0a1c44

    SHA512

    4578d1d7fffe0d581ffa5547f006083030beec27e5c69bbab97fbc08f7300b9047550079e1133a21d8db57e1a8198091625c47b35ad90cbc7750b9a2aae8cda2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~38EB.tmp
    Filesize

    2KB

    MD5

    5011564736c349cc96552257b2b823f9

    SHA1

    1f93d5ea9c4345c31abf990de730e4136845cc6a

    SHA256

    cd10ea0c1b781f41aa78d47920308be00c46479a5f280e5bcb0904da23c58717

    SHA512

    f023546dc9adacfd7362cd985d51cb4878f2d2299a3068ef18db84fa73e543e933180b7b0f598561458226b28f754b34a2f5dee042ef7bd0541ff7d726bc1342

    Download Submit

  • \Windows\SysWOW64\catsddem.exe
    Filesize

    2KB

    MD5

    06ae479996ab2ecf81a02cc9b918e9a8

    SHA1

    f8eddac58f3d895c14ce8a41f99cf207558e55e4

    SHA256

    08fdef05606048cb7ce8e94948cecdca649535b2e9e7eb97efae83889c65f3b5

    SHA512

    4176b9486335119a4df87977d1fbc3940e069e39badea0315d0d1131994dfad997c8bdbf9915613a17ad367512cdbc893247ca6fee377a0c789895cfae6f2d41

    Download Submit

  • memory/1244-22-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download