Overview

overview

7

Static

static

7

880365068d...61.exe

windows7-x64

7

880365068d...61.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    88s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2024 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    880365068d8f95218d82551fc7e02961.exe

  • Size

    176KB

  • MD5

    880365068d8f95218d82551fc7e02961

  • SHA1

    4a6bfed49e69a2b8e8d8c4317a17358bae4c5e8c

  • SHA256

    e4bfd376352e36ccb75f536bb20cf88a12766436284aae99ed98c0f91a80c0c8

  • SHA512

    a7832f680acd9d4b2ef2696f7f7bc473c7a77e1ae50abdda401803b1090f479fa7603bef30545abd4dc60dbcc7aba6c1a749694f39691bc75e766ccd0921f4fd

  • SSDEEP

    3072:6C8VCaeoJ4rJe7+hQE4l+Xzl4qeVXKl4S8oMqvsHiCJT73C5+UAUV+r1soutrMJ7:6C8VPJoeyC+Dl4qCXKl4SvkCCEoS6

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\880365068d8f95218d82551fc7e02961.exe
    "C:\Users\Admin\AppData\Local\Temp\880365068d8f95218d82551fc7e02961.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Users\Admin\AppData\Local\Temp\880365068d8f95218d82551fc7e02961.exe
      C:\Users\Admin\AppData\Local\Temp\880365068d8f95218d82551fc7e02961.exe
      2⤵
      • Checks computer location settings
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Windows\SysWOW64\Windefend.exe
        "C:\Windows\system32\Windefend.exe" rem "C:\Users\Admin\AppData\Local\Temp\880365068d8f95218d82551fc7e02961.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:972
        • C:\Windows\SysWOW64\Windefend.exe
          C:\Windows\SysWOW64\Windefend.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:804
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1924
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    164c747ec05b351867ac47fb8ac89dcb

    SHA1

    d814dbedc7356af4d274b907692c28baea48dba0

    SHA256

    e675e63c991701c36625eb6ef0d2e009c743f7a6843192f74bd10ac641503181

    SHA512

    895663660c26f74561154925fd7ef4c2ee7e8fe0ad25985f7ed51ceadb476d576450c8c57aa8e8ea350be398b491f0bb5fe54744d7d1e625e4ab97a93b375643

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    38b4e944ca2c6796ce21c40d2a2ef001

    SHA1

    6b85777d95d6e8b806a3cb22f0a49f806c4e1b3b

    SHA256

    e73efa25714eda27aac4c8a2f14a16d6cf31dd78f1c7a447f7d05fcd11c0bdcb

    SHA512

    d95024a7e4a23657ea98881ad5d38f56ab5fdf1ad13ecca351eb0e72ee36ef6f91e01a38dca58ae7c58141bb2e14a3c9f43156831b360bc9d0b109e7f0d68e3f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
    Filesize

    4KB

    MD5

    da597791be3b6e732f0bc8b20e38ee62

    SHA1

    1125c45d285c360542027d7554a5c442288974de

    SHA256

    5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

    SHA512

    d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UCK1SA0Q\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Kno5F56.tmp
    Filesize

    88KB

    MD5

    002d5646771d31d1e7c57990cc020150

    SHA1

    a28ec731f9106c252f313cca349a68ef94ee3de9

    SHA256

    1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

    SHA512

    689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

    Download Submit
  • C:\Windows\SysWOW64\Windefend.exe
    Filesize

    176KB

    MD5

    880365068d8f95218d82551fc7e02961

    SHA1

    4a6bfed49e69a2b8e8d8c4317a17358bae4c5e8c

    SHA256

    e4bfd376352e36ccb75f536bb20cf88a12766436284aae99ed98c0f91a80c0c8

    SHA512

    a7832f680acd9d4b2ef2696f7f7bc473c7a77e1ae50abdda401803b1090f479fa7603bef30545abd4dc60dbcc7aba6c1a749694f39691bc75e766ccd0921f4fd

    Download Submit
  • C:\Windows\SysWOW64\Windefend.exe
    Filesize

    140KB

    MD5

    8fd4e708972ebfabbd0fe5f2ae8a397b

    SHA1

    d190c46689e2d8ddf5637bea2e56a6038b434956

    SHA256

    ea7e30b685142ec54216e1e8bb701e9e96ea0a389f56f6dd5e2d3bf5d65901d6

    SHA512

    c2cf33e7fd740ce284780bb3a6ba5cdb65858fd54d067ba808e5e391517f805871c4a0ab905f32a53a548c71d9b7cf49f5b44930d4b469b347f211fe56f8750a

    Download Submit
  • memory/804-31-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/804-27-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/804-29-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/804-30-0x00000000004E0000-0x00000000005A9000-memory.dmp
    Filesize

    804KB

    Download
  • memory/972-28-0x0000000000400000-0x0000000000591000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/972-20-0x0000000000400000-0x0000000000591000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3608-21-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/3608-7-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/3608-5-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/3608-3-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/3948-0-0x0000000000400000-0x0000000000591000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3948-6-0x0000000000400000-0x0000000000591000-memory.dmp
    Filesize

    1.6MB

    Download