Overview

overview

8

Static

static

7

978d593622...01.exe

windows7-x64

8

978d593622...01.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    87s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2024 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    978d59362212f50fecd51ab1eaa17f01.exe

  • Size

    19KB

  • MD5

    978d59362212f50fecd51ab1eaa17f01

  • SHA1

    9824563d0add36e1064153224f909757c8276c18

  • SHA256

    7912ac3d1e30ce599f5cf12568e4af8b7b66f0296ca5f498596bfe2ea00b234d

  • SHA512

    d7df8b195f61c9e62c225432e939b4a28c8fc783df5d51c7223eb222271916c6493e16b15b233a967beb9eb6468abc1ad81a95fa81e80cf11e38b3d77d7f3292

  • SSDEEP

    384:EFq4fVdqFYX1Q1fohlEhm971sg8U34XugoR5BcnHOGwby6bl:QqKVd4YlMMZug8Uiu/R3cnu9by

Score
8/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Modifies system executable filetype association 2 TTPs 4 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3452
      • C:\Users\Admin\AppData\Local\Temp\978d59362212f50fecd51ab1eaa17f01.exe
        "C:\Users\Admin\AppData\Local\Temp\978d59362212f50fecd51ab1eaa17f01.exe"
        2⤵
        • Modifies Installed Components in the registry
        • Modifies system executable filetype association
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3232
        • C:\Windows\SysWOW64\Notepad.exe
          Notepad.exe
          3⤵
            PID:4596
          • C:\Users\Admin\AppData\Local\Temp\978d59362212f50fecd51ab1eaa17f01.exe
            C:\Users\Admin\AppData\Local\Temp\978d59362212f50fecd51ab1eaa17f01.exe
            3⤵
            • Modifies Installed Components in the registry
            • Modifies system executable filetype association
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2136
            • C:\Windows\SysWOW64\Notepad.exe
              Notepad.exe
              4⤵
                PID:3460
              • C:\Windows\SysWOW64\net.exe
                net stop cryptsvc
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1036
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop cryptsvc
                  5⤵
                    PID:3948
                • C:\Windows\SysWOW64\sc.exe
                  sc config cryptsvc start= disabled
                  4⤵
                  • Launches sc.exe
                  PID:2252
                • C:\Windows\SysWOW64\sc.exe
                  sc delete cryptsvc
                  4⤵
                  • Launches sc.exe
                  PID:3496
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$$$$$$$.cmd
                  4⤵
                    PID:3128
                • C:\Windows\SysWOW64\net.exe
                  net stop cryptsvc
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1104
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop cryptsvc
                    4⤵
                      PID:1716
                  • C:\Windows\SysWOW64\sc.exe
                    sc config cryptsvc start= disabled
                    3⤵
                    • Launches sc.exe
                    PID:3056
                  • C:\Windows\SysWOW64\sc.exe
                    sc delete cryptsvc
                    3⤵
                    • Launches sc.exe
                    PID:1896
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$$$$$$$.cmd
                    3⤵
                      PID:3612

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\$$$$$$$$.cmd
                  Filesize

                  242B

                  MD5

                  6f9d8b9ec7936433b4c4ab2e16c2993b

                  SHA1

                  c2a9bb9698666e48456df74b3868a479b63f0c9e

                  SHA256

                  68fe3004ac847defb1bfd15f51d4f22517af371bf88c06c17872aebefe018337

                  SHA512

                  f156059ad4a8170a9d9a3bd7498b65c163bc6cfeacbd4ab52fcf27400aa3d8bfbbcda5f2050aae29df1697d0b9bf368658cfbce1f28d8fbcdc8cba12f118506f

                  Download Submit

                • C:\Windows\Temp\~tmp85.tmp
                  Filesize

                  19KB

                  MD5

                  978d59362212f50fecd51ab1eaa17f01

                  SHA1

                  9824563d0add36e1064153224f909757c8276c18

                  SHA256

                  7912ac3d1e30ce599f5cf12568e4af8b7b66f0296ca5f498596bfe2ea00b234d

                  SHA512

                  d7df8b195f61c9e62c225432e939b4a28c8fc783df5d51c7223eb222271916c6493e16b15b233a967beb9eb6468abc1ad81a95fa81e80cf11e38b3d77d7f3292

                  Download Submit

                • memory/2136-1-0x0000000012110000-0x0000000012122000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2136-17-0x0000000012110000-0x0000000012122000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2136-18-0x0000000012110000-0x0000000012122000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2136-19-0x0000000012110000-0x0000000012122000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2136-39-0x0000000012110000-0x0000000012122000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3232-0-0x0000000012110000-0x0000000012122000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3232-15-0x0000000012110000-0x0000000012122000-memory.dmp

                  Filesize

                  72KB

                  Download