Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2024, 14:06

General

  • Target

    9754ed1850613133670ce6744da7bf2c.exe

  • Size

    304KB

  • MD5

    9754ed1850613133670ce6744da7bf2c

  • SHA1

    5f6a5ee9f74fee0a69a96ee68b43ac1f06279bcf

  • SHA256

    d0024fbc2f166639aab20236e9fad73d58c7579a13921db27ba2902290f81c1d

  • SHA512

    fa6a95fb66bb9539aee13e7f5aae044ce966cabc5d0e68f3948337bc123b6f14664999c1d2a08b8f4a0919a57e1d80b00f3dfd1a2f5c585107f78f36381859d9

  • SSDEEP

    6144:ascPtZKAWVNHZ2iSgSVn5+7jIdUDETTq7xPRU3P:rMoVNHZ1vSVI78dfaNPRWP

Score
10/10

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
  • Nirsoft 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 11 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9754ed1850613133670ce6744da7bf2c.exe
    "C:\Users\Admin\AppData\Local\Temp\9754ed1850613133670ce6744da7bf2c.exe"
    1⤵
    • Modifies firewall policy service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\ntkernelloader.exe
      C:\Windows\system32\ntkernelloader.exe /stext C:\Windows\system32\micdriverz.dll
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:2832
    • C:\Windows\SysWOW64\winamptürk.exe
      C:\Windows\system32\winamptürk.exe
      2⤵
      • Modifies firewall policy service
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\SysWOW64\winamptürk.exe
        C:\Windows\system32\winamptürk.exe
        3⤵
        • Modifies firewall policy service
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\optrves.dll

    Filesize

    817B

    MD5

    b0e872e65b6a664b0b7e3c6bf4d87fd5

    SHA1

    d75d49aff1351d190d74ef79c0b07a1013443ccd

    SHA256

    b29c6b65afab0a73391c00da6dd493f5b00f038358564384e399aaa2a14a2fe5

    SHA512

    3a8cc159477f5259f1bf5fc0f34e85d6ca275a8cccdf42646fd1d2ab430d375512682d4ee73eea5824af57416eab57f98675734e6ecc75a330b0a92bbeaba12f

  • C:\Windows\SysWOW64\optrves.dll

    Filesize

    1KB

    MD5

    cab6d4b23d59ddcedf4113462386fb93

    SHA1

    97c42bda1852ca0ac228dc8cd1233e48565e31b1

    SHA256

    4093e7689e66d53346ef1cf219928ae05949f099c3aa592b87aea6c0627c3905

    SHA512

    ed89795d01dc3dad52f4cebb5e047b07cab600f8cb9eeeb213a74eb967ca3b3dc32ee51d25dc6b2036f0051711eaac475f0404e9fd73511a5fc7eb19420bfa14

  • \Windows\SysWOW64\mswinsck.ocx

    Filesize

    106KB

    MD5

    3d8fd62d17a44221e07d5c535950449b

    SHA1

    6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

    SHA256

    eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

    SHA512

    501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

  • \Windows\SysWOW64\ntkernelloader.exe

    Filesize

    43KB

    MD5

    588ab9262f42d01d153257ce3b71ebfe

    SHA1

    09e06a95a39ed524b8c85cb26bc9e8ce6ad57bfa

    SHA256

    4fce527ab68ba2d951f35ece37bff7ca3eb4b83e37ff903c49c0d6f4882610b8

    SHA512

    a08492b26aa2b0c4f2c6ebba51a160e8905392b528f3b38bd757553c9187de7891d8aeee75c7f9296d869d38590ecc71facb9512e8dee42f8f9729cc31de1b6d

  • \Windows\SysWOW64\winamptürk.exe

    Filesize

    304KB

    MD5

    9754ed1850613133670ce6744da7bf2c

    SHA1

    5f6a5ee9f74fee0a69a96ee68b43ac1f06279bcf

    SHA256

    d0024fbc2f166639aab20236e9fad73d58c7579a13921db27ba2902290f81c1d

    SHA512

    fa6a95fb66bb9539aee13e7f5aae044ce966cabc5d0e68f3948337bc123b6f14664999c1d2a08b8f4a0919a57e1d80b00f3dfd1a2f5c585107f78f36381859d9

  • memory/2216-22-0x0000000002500000-0x000000000251B000-memory.dmp

    Filesize

    108KB

  • memory/2216-26-0x0000000002500000-0x000000000251B000-memory.dmp

    Filesize

    108KB

  • memory/2832-23-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2832-24-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB