Overview

overview

8

Static

static

7

8b41570d02...c8.exe

windows7-x64

8

8b41570d02...c8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 03:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b41570d02a0a6ae998834e0ad4faec8.exe

  • Size

    3.3MB

  • MD5

    8b41570d02a0a6ae998834e0ad4faec8

  • SHA1

    dcc3100e3b3dcbfd32a12413a9c29271316d8849

  • SHA256

    bfe30dbf14be8059ded251ef8505784288bc84bff7a8817e496388090bc3841d

  • SHA512

    f148958251e920ce3ef5ca4bb13f0868116358ffd78e607f4eab9e458235c5be167373858b79be6242241bb6cd035e4e873863b7e46fa4dc0f3207df86b3f503

  • SSDEEP

    98304:/Qq9GOfbVzES6BZNjFrcQ056/M/Cu1mTQMgNomHg1kac:/vG+2SGZNjuQAoYWIu

Score
8/10
evasionupx

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b41570d02a0a6ae998834e0ad4faec8.exe
    "C:\Users\Admin\AppData\Local\Temp\8b41570d02a0a6ae998834e0ad4faec8.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Windows\SysWOW64\sc.exe
      sc stop GbpSv
      2⤵
      • Launches sc.exe
      PID:4684
    • C:\Windows\SysWOW64\sc.exe
      sc config GbpSv start= disabled
      2⤵
      • Launches sc.exe
      PID:1128
    • C:\Windows\SysWOW64\net.exe
      net stop GbpSv
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3960
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop GbpSv
        3⤵
          PID:4524
      • C:\Windows\SysWOW64\net.exe
        net start GbpSv
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start GbpSv
          3⤵
            PID:3772

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4292-0-0x0000000000400000-0x0000000000E66000-memory.dmp

        Filesize

        10.4MB

        Download

      • memory/4292-1-0x0000000002E30000-0x0000000002E31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4292-2-0x0000000000400000-0x0000000000E66000-memory.dmp

        Filesize

        10.4MB

        Download

      • memory/4292-4-0x0000000000400000-0x0000000000E66000-memory.dmp

        Filesize

        10.4MB

        Download

      • memory/4292-5-0x0000000002E30000-0x0000000002E31000-memory.dmp

        Filesize

        4KB

        Download