Overview

overview

7

Static

static

3

a1ad0a8372...bf.exe

windows7-x64

7

a1ad0a8372...bf.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    160s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 10:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a1ad0a8372632b6d96808914e7c330bf.exe

  • Size

    384KB

  • MD5

    a1ad0a8372632b6d96808914e7c330bf

  • SHA1

    a9c199b7dd7db92cca718ff140ba4fe254109105

  • SHA256

    52097c86c7ce6a8cb98f16cce13323654ec20a4b67a4f9d56098dbad4ede6a27

  • SHA512

    d446cc8def32847eb977d6a1d46a0d4d6d016be3c6c2fb111bf43984b6d4e930bd233b8836e0dd38ea1c79b4fca3e2095964e0cc46dbc6bb1aa021e1b15e434b

  • SSDEEP

    6144:Cc6dRdr+zg7w/0idrVZIg90PijiamCfc7T7Xf2VfjNz7eul7Ya:Cc6DdrUg72/PIg2P5x9e3eTa

Score
7/10
persistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1ad0a8372632b6d96808914e7c330bf.exe
    "C:\Users\Admin\AppData\Local\Temp\a1ad0a8372632b6d96808914e7c330bf.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 672
      2⤵
      • Program crash
      PID:392
    • C:\ProgramData\pH28258MnFpL28258\pH28258MnFpL28258.exe
      "C:\ProgramData\pH28258MnFpL28258\pH28258MnFpL28258.exe" "C:\Users\Admin\AppData\Local\Temp\a1ad0a8372632b6d96808914e7c330bf.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1688
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 668
        3⤵
        • Program crash
        PID:3924
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4192 -ip 4192
    1⤵
      PID:3200
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1688 -ip 1688
      1⤵
        PID:4516

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\pH28258MnFpL28258\pH28258MnFpL28258
              Filesize

              192B

              MD5

              3a140b55b27588956ca723f7196db066

              SHA1

              bf5086c5b3a5e37dff00fee6e93c9d7f5835c761

              SHA256

              2d4de9fd06c9d8202ace889119c417d694986186631fb04900b870ac81b4f38a

              SHA512

              c20e49706daf9ecb2e69ed57215715dbe4e2931ab519918b259a184e66e9839652c34b0584dfd06cf9cc2b9e6bd762e4e0a419b47a6c6b6d817fb50a153be61d

              Download Submit

            • C:\ProgramData\pH28258MnFpL28258\pH28258MnFpL28258.exe
              Filesize

              384KB

              MD5

              3c11f59a533eac811fd6b617c2988de1

              SHA1

              4bb1a2598418ade349a8de4b397109e49e0451ad

              SHA256

              b92a18fd26abf9485499675d801ea3501ec1cdb1e8b6c9267cad62cb5039147f

              SHA512

              9a82558177b66182b44c982c2dc256fa56d9e05e4e3ee2239eebad1c0d50e99a4b597cccd22e2f2407f3be74ad26f11d82d3adbcab2ade48b92ca788e5bb9595

              Download Submit

            • memory/1688-20-0x0000000000400000-0x00000000004EE000-memory.dmp

              Filesize

              952KB

              Download

            • memory/1688-23-0x0000000000400000-0x00000000004EE000-memory.dmp

              Filesize

              952KB

              Download

            • memory/1688-29-0x0000000000400000-0x00000000004EE000-memory.dmp

              Filesize

              952KB

              Download

            • memory/1688-31-0x0000000000400000-0x00000000004EE000-memory.dmp

              Filesize

              952KB

              Download

            • memory/4192-0-0x0000000002260000-0x0000000002262000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4192-1-0x0000000000400000-0x00000000004EE000-memory.dmp

              Filesize

              952KB

              Download

            • memory/4192-7-0x0000000000400000-0x00000000004EE000-memory.dmp

              Filesize

              952KB

              Download

            • memory/4192-14-0x0000000000400000-0x00000000004EE000-memory.dmp

              Filesize

              952KB

              Download