Overview

overview

7

Static

static

7

86447b8042...33.exe

windows7-x64

7

86447b8042...33.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    40s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/02/2024, 07:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    86447b80427974862f7388efe8675133.exe

  • Size

    419KB

  • MD5

    86447b80427974862f7388efe8675133

  • SHA1

    5a8cbb5771ac82fb0eba1a886ae0357581277f6f

  • SHA256

    39b8cc32d4614148aa546ff23f1eec042e916f34b5a8501ffe3364a319fd8fbb

  • SHA512

    a6aa76330516f23be1939b6662f6f6b059d45b955ba0756be9daa163ff4b386a2dc3f4587d5a2b62018c12adfe7c10373568ae2bcebcc33c8232561b399d6681

  • SSDEEP

    12288:7jtju6APFo38dPbUpLbQJNBWQ4m7ooX1w:rAPq3SbUeXT7oO1

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86447b80427974862f7388efe8675133.exe
    "C:\Users\Admin\AppData\Local\Temp\86447b80427974862f7388efe8675133.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\86447b80427974862f7388efe8675133.exe
      "C:\Users\Admin\AppData\Local\Temp\86447b80427974862f7388efe8675133.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3292
      • C:\windows\system32messengerplus\mplayer2.exe
        "C:\windows\system32messengerplus\mplayer2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:228
        • C:\windows\system32messengerplus\mplayer2.exe
          "C:\windows\system32messengerplus\mplayer2.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:3624

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\aut9FCA.tmp
          Filesize

          68KB

          MD5

          8d079185f12af41b56fffcc002dc12a4

          SHA1

          ff644a414295c18d730a2c747fa941fe227d8ba9

          SHA256

          cf98fcb82bb403af7467ef6029298aacc064b32f105e4e110200bf7346ff8ae9

          SHA512

          c8e25aa47ae8b4966fbfb8590b065eb27c5de2d690f4614a1d476087d9ba1b13feae5b0f25bdb924d74b659091add841cc967279d66e7a30d0eb06bf4e70ac89

          Download Submit

        • C:\Windows\system32MessengerPlus\mplayer2.exe
          Filesize

          162KB

          MD5

          51054bd7f568378fa9d440857548e6ba

          SHA1

          f2fe2a99a333002fb14010ce67fccbe277fa53ca

          SHA256

          7bdf58bc9200d908f135417b66ef1bf4cc3cfaabde9e25dc705899e02cbb9d3f

          SHA512

          aede390a8c07f4e0a73e7c8808cda55e5ee0a781d7fe00a1954392f81740d83175659cc86a47700e232fe5dcffa09c5c97162fcbd44319d369dc21d3703026c2

          Download Submit

        • C:\Windows\system32MessengerPlus\mplayer2.exe
          Filesize

          190KB

          MD5

          7bdc7cc7049e79c6dc10863bc546e63d

          SHA1

          4c65c588ab226672cdfa0f6fe4a178e307101198

          SHA256

          84002537e333205f39684ba251056c9622cf3b26c2e36249676a76467fbe5424

          SHA512

          144ca7ebc9079439aa6afd808de95ffa5acfc68b8397c3a09c4a27aea85c6aa8afd61cb1d469be99ff0881fcf014e8b90b8ae7817889532242e2f6dd646f9d2a

          Download Submit

        • C:\Windows\system32MessengerPlus\mplayer2.exe
          Filesize

          135KB

          MD5

          eacc3dfdb038d61edd9636244b52946d

          SHA1

          185811b32b8261ccfbec15205009cc6563f2fd7f

          SHA256

          cc4eb614e719c64bed903047f0e878363a9c938804a626fc395ff445d247e729

          SHA512

          01614fee3ab7aa568688873c53d7024ce751981c7529ff49e654db0571f8df1f48a0e90f725029e9e0ee6803ead5e2bf3bdcb32db1a30cf96f4387b383bbf9ae

          Download Submit

        • C:\windows\system32messengerplus\mplayer2.exe
          Filesize

          99KB

          MD5

          f2ff6d7f17748944aed58c407f34378b

          SHA1

          03815fd59da07e11ddadb7e34f1097d644b5f8ce

          SHA256

          ee34300e39794d5dbab918d993c196ee823746d246122bcb4a63a8e7d012038b

          SHA512

          fc2b6731343cbda7a88ae2661a77cf2a16fc0e8e2cc89cf6a51eb0431a4340d5811ee42ee63be0f5c4c24dce7f170de9063d44374b8c411c72f03af0cf5b3f6c

          Download Submit

        • memory/228-31-0x0000000000400000-0x00000000004FE000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/228-44-0x0000000000400000-0x00000000004FE000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/228-29-0x0000000000400000-0x00000000004FE000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/2432-1-0x0000000000400000-0x00000000004FE000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/2432-13-0x0000000000400000-0x00000000004FE000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/2432-0-0x0000000000400000-0x00000000004FE000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/3292-30-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download

        • memory/3292-10-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download

        • memory/3292-12-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download

        • memory/3292-15-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download

        • memory/3624-45-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download

        • memory/3624-48-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download

        • memory/3624-47-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download

        • memory/3624-57-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download

        • memory/3624-59-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download

        • memory/3624-60-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download

        • memory/3624-61-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download