Overview

overview

10

Static

static

10

COPY0001.exe

windows7-x64

10

COPY0001.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    156s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-02-2024 21:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    COPY0001.exe

  • Size

    300.0MB

  • MD5

    ef077d3465b442673296cee268e2973a

  • SHA1

    438ec36e4cc7cad870740c5e926753f04baa1958

  • SHA256

    f68ccb24ae1039fdfe224fd82d46e2a30e2b082d923c92510162218d453e2cfe

  • SHA512

    e53eaa044e8da60afc25f785953b4272eb684391fee5ee32c8c35946c7324ef5dfd4d4cdd9a6ad71eb7c7717fa2d1f40cead8ae5c7c5273ef3a030fdd60091ed

  • SSDEEP

    49152:YwTaSh6OnQVq2ky+jEnogf1L79QxEGIvbDmCwM4BIdN90L:fTaOsqdy1nzdLOfIvm7

Score
9/10
upx

Malware Config

Signatures

  • Detects executables packed with Babel 4 IoCs
  • Detects executables packed with Dotfuscator 4 IoCs
  • Detects executables packed with Goliath 4 IoCs
  • Detects executables packed with SmartAssembly 4 IoCs
  • Detects executables packed with dotNetProtector 4 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\COPY0001.exe
    "C:\Users\Admin\AppData\Local\Temp\COPY0001.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:4948
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 540
          3⤵
          • Program crash
          PID:4916
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\HOST"
        2⤵
          PID:1644
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\HOST\HOST.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:804
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\HOST\HOST.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:4912
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\COPY0001.exe" "C:\Users\Admin\AppData\Roaming\HOST\HOST.exe"
          2⤵
            PID:4044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4948 -ip 4948
          1⤵
            PID:748
          • C:\Users\Admin\AppData\Roaming\HOST\HOST.exe
            C:\Users\Admin\AppData\Roaming\HOST\HOST.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:836

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\HOST\HOST.exe
            Filesize

            1.9MB

            MD5

            0bb5ba7875f77c21104029ec63e43719

            SHA1

            b122e82e8e175cad3de9cd6ec348699db0c16488

            SHA256

            0e7c433566a4caa19d03ac5d8661dc766c56ac7901ee8ca23b717b963d6c7d9c

            SHA512

            b664b4761b7482bfc663a79a21f4564e71e5038433ac84518a886bd967dda56b0d41e04cbde84f14f2a9a5cd2ab64e896ef70e7a7a813fd2b65b4df62c246777

            Download Submit

          • C:\Users\Admin\AppData\Roaming\HOST\HOST.exe
            Filesize

            2.1MB

            MD5

            09d459c667da0a26f066281a5277c219

            SHA1

            8cc45c318f3b83bdd28643a2d275d6e218e48cb1

            SHA256

            8ab3dc81e826daf3713f78bb853ccb9b4ccc90321411f04ae94513ff14246a02

            SHA512

            2b4b48dc49a2234ad29c9df5e52b543527154bdb15adc69e0e17bdb1cec6ba45845ed8b00d0c06281920e8e8d01f97e2aa906b28809ebeb0a4134182f4e5c5b8

            Download Submit

          • memory/836-18-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/836-17-0x0000000074920000-0x00000000750D0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/836-16-0x00000000001F0000-0x0000000000404000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3580-4-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3580-6-0x0000000074920000-0x00000000750D0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3580-7-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3580-5-0x00000000051C0000-0x00000000051CA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3580-0-0x0000000074920000-0x00000000750D0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3580-3-0x0000000004E20000-0x0000000004EB2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/3580-2-0x0000000005330000-0x00000000058D4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3580-1-0x0000000000F70000-0x0000000001184000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4948-8-0x0000000000500000-0x00000000008E4000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/4948-9-0x0000000000500000-0x00000000008E4000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/4948-10-0x0000000000500000-0x00000000008E4000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/4948-11-0x0000000000500000-0x00000000008E4000-memory.dmp

            Filesize

            3.9MB

            Download