Overview

overview

10

Static

static

3

aa1fa7d9fa...df.exe

windows7-x64

10

aa1fa7d9fa...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    27/02/2024, 20:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa1fa7d9fa95da23c811628a0b5990df.exe

  • Size

    460KB

  • MD5

    aa1fa7d9fa95da23c811628a0b5990df

  • SHA1

    dd5fe9f7819d312fcc2fdf1ad70a4214963d3461

  • SHA256

    6af860a416d9d5c82997df0f270043c23e7e09d5f4f2711f821acf9772b8ca54

  • SHA512

    15f5b567673ce70a20ea8ced9348896e977e1ffc6b18fd72d8f2a866d8589f62338d3ac56f06786548ee5244547dee50d6e031008f85b7f303b9241b32521acb

  • SSDEEP

    12288:6lSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:6lSt69HNx6T/5xT

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 10 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\aa1fa7d9fa95da23c811628a0b5990df.exe
        "C:\Users\Admin\AppData\Local\Temp\aa1fa7d9fa95da23c811628a0b5990df.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Users\Admin\iBdqphzke5.exe
          C:\Users\Admin\iBdqphzke5.exe
          3⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Users\Admin\wjtoc.exe
            "C:\Users\Admin\wjtoc.exe"
            4⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2580
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del iBdqphzke5.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2592
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              5⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2568
        • C:\Users\Admin\astat.exe
          C:\Users\Admin\astat.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\Users\Admin\astat.exe
            "C:\Users\Admin\astat.exe"
            4⤵
            • Executes dropped EXE
            PID:2624
        • C:\Users\Admin\dstat.exe
          C:\Users\Admin\dstat.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2856
        • C:\Users\Admin\fstat.exe
          C:\Users\Admin\fstat.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:816
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            4⤵
              PID:1000
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del aa1fa7d9fa95da23c811628a0b5990df.exe
            3⤵
            • Deletes itself
            • Suspicious use of WriteProcessMemory
            PID:2384
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2388
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        1⤵
          PID:864
          • C:\Windows\system32\wbem\WMIADAP.EXE
            wmiadap.exe /F /T /R
            2⤵
              PID:556
          • C:\Windows\system32\csrss.exe
            %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
            1⤵
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:340
          • C:\Windows\system32\wbem\wmiprvse.exe
            C:\Windows\system32\wbem\wmiprvse.exe -Embedding
            1⤵
              PID:2476

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\dstat.exe
              Filesize

              36KB

              MD5

              b6da847084e39e0cecf175c32c91b4bb

              SHA1

              fbfd9494fabed5220cdf01866ff088fe7adc535b

              SHA256

              065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

              SHA512

              59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

              Download Submit

            • C:\Users\Admin\fstat.exe
              Filesize

              271KB

              MD5

              34353cf7e1d1b10bcbbcae0745110535

              SHA1

              2fb471681daac6f6d66477b7772025da4f58c508

              SHA256

              b2d7a66e2d10d8943e48d6f3ad75237ff379e82ab0101a620406c4569be1d959

              SHA512

              7404f82abfabd21d6f2a88b55f6f0ff886bb0a1f16a9d45c6883d74daa26451f862a10a78646c549c3a3264ba4bd9fb44949d470493af895973dd05a0ec311e6

              Download Submit

            • C:\Windows\system32\consrv.dll
              Filesize

              53KB

              MD5

              4d7cde615a0f534bd5e359951829554b

              SHA1

              c885d00d9000f2a5dbc78f6193a052b36f4fe968

              SHA256

              414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a

              SHA512

              33d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4

              Download Submit

            • \??\globalroot\systemroot\assembly\temp\@
              Filesize

              2KB

              MD5

              a57edf8918aaf458c807116187ca68b3

              SHA1

              06f0b40b4fb6042f9d2eaf67fc938e326187950e

              SHA256

              c1f2970a73a8bb2261f546c871e81f5c72473a50e6a257f4a29b5ddb341c501d

              SHA512

              0ceb4d43f996bf0adbbcb29638fec507ab45545dccb820f5b81bc6ffd001b36723441aff1177c08729700069c5748253f3691e32a0c450411878ad68b87e6ef0

              Download Submit

            • \Users\Admin\astat.exe
              Filesize

              60KB

              MD5

              87c6498966e3f85fac743c89050aa312

              SHA1

              05c165c34cbfa14e4925c33ace81992b0f50a2b5

              SHA256

              30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

              SHA512

              740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

              Download Submit

            • \Users\Admin\iBdqphzke5.exe
              Filesize

              244KB

              MD5

              a4cdb62cf4866a17e742e7e9cc73d237

              SHA1

              30d94f8e872455ac569949ac4c768d0a0cdfbba7

              SHA256

              c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

              SHA512

              c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

              Download Submit

            • \Users\Admin\wjtoc.exe
              Filesize

              244KB

              MD5

              8f8ee2009a4629377e2ea9aebb1ad79b

              SHA1

              d0e281545949c6b3e11569985ee94d3cbb1f04ae

              SHA256

              2b44c76bb7511f2baaddd1704309c44db28a0e97c77125e8841b114b9be6cc32

              SHA512

              1f7e1af7549313cf9913cc149bd9d153449ac0a46bdc048715cffb9bdf50dda2637ca31a7034c4425d0ea9c15fc001bcb46830070e48959cd3f5654247ae4fa0

              Download Submit

            • memory/340-128-0x0000000000C40000-0x0000000000C52000-memory.dmp

              Filesize

              72KB

              Download

            • memory/340-124-0x0000000000C30000-0x0000000000C31000-memory.dmp

              Filesize

              4KB

              Download

            • memory/340-120-0x0000000000C40000-0x0000000000C52000-memory.dmp

              Filesize

              72KB

              Download

            • memory/340-111-0x0000000000C40000-0x0000000000C52000-memory.dmp

              Filesize

              72KB

              Download

            • memory/340-112-0x0000000000C30000-0x0000000000C31000-memory.dmp

              Filesize

              4KB

              Download

            • memory/816-72-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB

              Download

            • memory/816-119-0x0000000002A40000-0x0000000002A7D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-73-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB

              Download

            • memory/816-75-0x0000000002950000-0x0000000002951000-memory.dmp

              Filesize

              4KB

              Download

            • memory/816-76-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB

              Download

            • memory/816-77-0x0000000002A40000-0x0000000002A7D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-80-0x0000000002A40000-0x0000000002A7D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-83-0x0000000002A40000-0x0000000002A7D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-84-0x0000000002A40000-0x0000000002A7D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-85-0x0000000003100000-0x0000000003101000-memory.dmp

              Filesize

              4KB

              Download

            • memory/816-86-0x0000000002A40000-0x0000000002A7D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-87-0x0000000002A40000-0x0000000002A7D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-88-0x0000000002A40000-0x0000000002A7D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-89-0x0000000003110000-0x000000000314D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-91-0x00000000036D0000-0x00000000036D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/816-93-0x0000000002A40000-0x0000000002A7D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-94-0x0000000002A40000-0x0000000002A7D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-96-0x0000000002A40000-0x0000000002A7D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-115-0x0000000002380000-0x00000000023C6000-memory.dmp

              Filesize

              280KB

              Download

            • memory/816-74-0x0000000002380000-0x00000000023C6000-memory.dmp

              Filesize

              280KB

              Download

            • memory/816-121-0x0000000003110000-0x000000000314D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/816-71-0x00000000020A0000-0x00000000020A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/816-114-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB

              Download

            • memory/864-133-0x0000000000B40000-0x0000000000B48000-memory.dmp

              Filesize

              32KB

              Download

            • memory/864-145-0x0000000000B60000-0x0000000000B6B000-memory.dmp

              Filesize

              44KB

              Download

            • memory/864-141-0x0000000000B60000-0x0000000000B6B000-memory.dmp

              Filesize

              44KB

              Download

            • memory/864-140-0x0000000000B50000-0x0000000000B5B000-memory.dmp

              Filesize

              44KB

              Download

            • memory/864-136-0x0000000000B50000-0x0000000000B5B000-memory.dmp

              Filesize

              44KB

              Download

            • memory/864-131-0x0000000000B50000-0x0000000000B5B000-memory.dmp

              Filesize

              44KB

              Download

            • memory/1224-101-0x0000000002DE0000-0x0000000002DE6000-memory.dmp

              Filesize

              24KB

              Download

            • memory/1224-105-0x0000000002DE0000-0x0000000002DE6000-memory.dmp

              Filesize

              24KB

              Download

            • memory/1224-98-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1224-95-0x0000000002DE0000-0x0000000002DE6000-memory.dmp

              Filesize

              24KB

              Download

            • memory/2624-43-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2624-39-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2624-41-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2624-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2624-47-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2836-27-0x0000000004060000-0x0000000004B1A000-memory.dmp

              Filesize

              10.7MB

              Download