Analysis
-
max time kernel
146s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
12-02-2024 05:26
General
-
Target
965c28adeb669aa74549e117c176e3be.exe
-
Size
1.0MB
-
MD5
965c28adeb669aa74549e117c176e3be
-
SHA1
70b5f0583a2973219f9b187e2bed8404be5aeb3a
-
SHA256
9e1ae3b4e55a48aa40649622e37d4322f761c91feb5db2d6620449217cb38fd7
-
SHA512
99c3de0116ba6847a6a1dc569e3f58a635900a9aaa9e9109a968d63f0c939cbb7af782d4094aac59b2b6abfc5530844b9c6fcfe9026dc795bafb12b6501bae20
-
SSDEEP
12288:zKz0viabdAm4EhAhRw95PxS0mVEwe96AkzCdcH8uSS64tBaQsh6DQ+m6brTQS4N8:zE+Amy0mg5kzCxKF26bQSsTzs7
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 11 IoCs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Windows\fps.exeC:\Windows\fps.exe /stext C:\Windows\fps.atm1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\dtxservice.exeC:\Windows\system32\dtxservice.exe -atm1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\CRSS.EXEC:\Windows\CRSS.EXE2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\iss32.exeC:\Windows\iss32.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\mps.exeC:\Windows\mps.exe /stext C:\Windows\mps.atm2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\965c28adeb669aa74549e117c176e3be.exe"C:\Users\Admin\AppData\Local\Temp\965c28adeb669aa74549e117c176e3be.exe"1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5067c3c377e0346290862dc8791e81fb0
SHA19a4d3a6ad5fd102eb32a6f1229c80c15dc495409
SHA25618cbf1415419f9f27425cea06c32e9a2f041ec52a39d78d58922efbb698b9d76
SHA5120c0f0a1e4144accb97d159096cbd4003e77ca0ac792727002c2fe402dc12471a16e90ae3622f1f96d25a333af36a4dccbe80a6689bed080ba32e28dd845960aa
-
Filesize
464KB
MD5b795f8027af2e4b64faaf9ee0dd46f6e
SHA1a1572e82430747a77be034a76e1b8d9d65113abc
SHA2565393f9945bc0b131f639776f5e5f7b6cc7def7fafd73630fcef7c5e525aec99b
SHA512c2a0b7fe18ebe891fe7f9347d38781a1f7da738c14c43c7cc05d2f0b662318b083750e5c0b88d85c20a1b498b04a40e9a91a969c6afff3d98927f92a3c264fce
-
Filesize
887KB
MD5c07fbb30c1c7a98dec8b085105260943
SHA13c078f628f6442224344070ab046fd67961f05f5
SHA256c723c8a8bdeefe2bfdf07bbcc31ee081cc99ab6287da0afdf3b5189f1575d8fb
SHA5124ef3cc4ada71ffccac527163161e4258e8bb5be7cd68001a963962f207955e3f44b16958689bf7fbcf485ad30fbb922ff0222e8cd5885dd694efc10822709a4a
-
Filesize
14KB
MD516d0b87ea242e563ccbf13fbfc279915
SHA1a56a456b48f5318ca57cce4d75e2f0e3493850d4
SHA2561a4cef71598d42e1765c89fa5f0d91141e313c89d25418d7dc5e2b4b9bfc07aa
SHA512ee9b92a5c17bcf17812d18bb9f0e993537a9a1c1bb4938442aef9005046c4547be61380cf5cf01c7a710b07d5d0e116a4a8e8263d3ad73fef1e0c1de196f6cc0
-
Filesize
3KB
MD5d36a7e657fb830da92a59bccb67948a5
SHA1730d2499b9ffffa7a3e29b9f973728f2c9547827
SHA2560f855337f81800b5df27abd91f85c9a4187ac553e0a65b2a9719d5db1df08b39
SHA5120a24a2f87fcf35937520bde130862af7f40b3fcb29c8f09a197faa5e11a33b7db35b765b2494f719b28ef51060add5324aff441a825a3c87287fa64665e140c8
-
Filesize
8KB
MD551abb91f79fc8057f9ac61877fb480d5
SHA142790a05bb6cc05292977d70bf9ae60350aca1d7
SHA2566bd988e0c55f611e20ff740c76870dc892505725e9852580fe23bade1a8978fa
SHA5124b115ec069cecd082e72c5728aab8902ee018705ed9ad11731e47efd0f6d5d8e2412485d4713cb4ab20bfdd3d03f5919b2bb60a361af6ac69e7566a4fc015413
-
Filesize
29B
MD5d4d0a66ac4c1820c90f62f77099b547a
SHA1c8f96649ec9865804efc925472b931005925f3ff
SHA256997394c51fb18768bbb7a8e6cfe7bdec1efa0bdd82ed3507f3f1cc46ab459ff1
SHA5129ab9b7d786bdbd2e5bd596060930c64ee1496cbdf423bd283fbecee13501adeb149d4aa7290d410dd153a255ef6513e6a8356a88740efa4badb3190fb5388ebb
-
Filesize
17KB
MD54bad43105d4d557ae90d2f094e4bb833
SHA11d80ae0e7806c6cb2425131604373acb62ef8991
SHA256918d1c42a73d79c4296f8fe3683070803916df4f5a236e84aabf665215e266e2
SHA512278a11bb0fb2f17b91e1dc63d6b9a6376c332a41fdcedcd55d96b208b39b769e7edd1f41a614a80e24f409ba098a06b3da6848a6ab9ad0ff37e5154376ef681c
-
Filesize
516KB
MD53269f8dd5c03204d60b16f9714df9fa9
SHA10d04a1f9b2c8b418c048b3c7ae7895c8f909ac84
SHA256123e118cadefa19b511b8bb3c7417235ab8712b81cd5abd0c5d974aa4b3e1928
SHA51280c5afc1b3b9109584dc7a324050b4dac7e9349374588d9a064907d776f08b6eb3cc093bada90fddf53583a41bde392168b9cc030ab13a6e16e284aecd0ba37b
-
Filesize
1.0MB
MD5f2e0c562e2cbde803817c2836bca10d3
SHA144bcd223b9dde48395a1b188753d3dbb82a94752
SHA256d2d5cbe39b956cb4941b501572720436523d2ba4f57327a6c4eb1893007a2f77
SHA5125764a08352b74f84cc2ec1d3589a96e7fadc571a0b93b1281279ef04a9b67dc7c39d9ad8cfc35c0bc5544534b85fed1bf81fe3a10074b5974754ad97337b85ff
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
40KB
-
Filesize
1.1MB
-
Filesize
40KB
-
Filesize
36KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
60KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
52KB
-
Filesize
52KB