Overview

overview

7

Static

static

7

ac15b1ac58...ed.exe

windows7-x64

7

ac15b1ac58...ed.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2024, 14:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ac15b1ac5887a00461497846909e89ed.exe

  • Size

    185KB

  • MD5

    ac15b1ac5887a00461497846909e89ed

  • SHA1

    9011189f15b27d4ecd268c00ed74bde02e053556

  • SHA256

    b597503dfa7e552d770667eb0e298643075c66fe426da71e1ca1c92831717b8c

  • SHA512

    9081f1b40b4a24cf454bd384f223e7f7204ec7e5fcd116f9985b1601000dc0c11095846122c01a6d4b22449e3f2750ee822f4fdbc252f7dd1d6d97bc1dd2a92a

  • SSDEEP

    3072:S1IWS4N0Q5N0+f9ahQFJzdj8QB21NRnkXtMI++Eu/BMhmHJtYfgIQS4rjc:74pf0hoJlXA1NRniMI1zJMsHsAr

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:340
  • C:\Users\Admin\AppData\Local\Temp\ac15b1ac5887a00461497846909e89ed.exe
    "C:\Users\Admin\AppData\Local\Temp\ac15b1ac5887a00461497846909e89ed.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\explorer.exe
      00000054*
      2⤵
      • Deletes itself
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2224
  • C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    1⤵
      PID:2412
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      1⤵
        PID:2492

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\system32\consrv.DLL
              Filesize

              31KB

              MD5

              dafc4a53954b76c5db1d857e955f3805

              SHA1

              a18fa0d38c6656b4398953e77e87eec3b0209ef3

              SHA256

              c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

              SHA512

              745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

              Download Submit

            • \systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
              Filesize

              2KB

              MD5

              5c243909df8952169e8e94c6d33d4c4f

              SHA1

              9d6f52ec4b32c2023471b3fab3d1ae2aa90d0c15

              SHA256

              30003688478851e651d3947682287cb27544aeb66f9017705f64ddda6af1c19e

              SHA512

              7823a95bd6fe171d0881579239adceaf2a7e8a7c82e2fb3b384e17a907e26c3e1054d7fd742e2d480b29897909e3d9f1ae089641784bec7398317f11eb42f5e7

              Download Submit

            • memory/340-19-0x0000000000C30000-0x0000000000C3C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/340-20-0x0000000000C30000-0x0000000000C3C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2204-0-0x0000000000400000-0x000000000043A000-memory.dmp

              Filesize

              232KB

              Download

            • memory/2204-1-0x0000000000020000-0x0000000000034000-memory.dmp

              Filesize

              80KB

              Download

            • memory/2204-2-0x0000000000400000-0x000000000043A000-memory.dmp

              Filesize

              232KB

              Download

            • memory/2224-3-0x0000000001F00000-0x0000000001F14000-memory.dmp

              Filesize

              80KB

              Download

            • memory/2224-4-0x00000000000E0000-0x00000000000F2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2224-9-0x0000000001F00000-0x0000000001F14000-memory.dmp

              Filesize

              80KB

              Download

            • memory/2224-14-0x0000000001F00000-0x0000000001F14000-memory.dmp

              Filesize

              80KB

              Download