Overview

overview

7

Static

static

7

b5a49b8767...04.exe

windows7-x64

7

b5a49b8767...04.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2024, 20:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b5a49b87673bb4dcff297b3d33e39504.exe

  • Size

    2.7MB

  • MD5

    b5a49b87673bb4dcff297b3d33e39504

  • SHA1

    5dd922c9fb6d7af22af65bc352f782077e0223bc

  • SHA256

    eed0845a1c92c5905f298b958e668c552616dc1613c33503af905f9c049ec4d6

  • SHA512

    507cd27a42441be47062142a4b56a5dbc1bf13cdc6aafbf829fcd7e9e37143acb7e56a0fbb5f548e0144b30e84fd74374baadff67b3ad99c97b526aa65f716e7

  • SSDEEP

    49152:RH73q/dlUyNJ+TBGxZykI9vA6qX9B9RElKBG1F:xjq1N44WEXP9RElKS

Score
7/10
persistenceupx

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5a49b87673bb4dcff297b3d33e39504.exe
    "C:\Users\Admin\AppData\Local\Temp\b5a49b87673bb4dcff297b3d33e39504.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
        PID:2784

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
            Filesize

            92B

            MD5

            2004bcee923b0e0222f4cab87c2c2a3d

            SHA1

            0a3c122b7cfe403403d913ecc1b328480b1bfc2a

            SHA256

            f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

            SHA512

            cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
            Filesize

            721B

            MD5

            5d02e913503d51d784579a4a4955fc35

            SHA1

            92a2010bd73d70b959c09c65d01706f8a46e1fc5

            SHA256

            35c75630e5fd18d276b00ed1b103f19e728e77bed17e50f22b3b10a053a195b6

            SHA512

            a8c4bdd20a4dac6df7ad2b2a066538153b9473f07cf6a68ecd1f036949032a2c1159b88d282d206412fd8499197e47a4e5ff2cc9f0e7880a8516da2a68031883

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            Filesize

            2.7MB

            MD5

            3d09d18355f006780d5a0aa433ecb5ec

            SHA1

            13cec60f785d7ee67e416e75b9cdf5fd389443c7

            SHA256

            f62f21832ec224dedd3aefdcf25915b55365342a3e06f28efd0dee011d6bca66

            SHA512

            85ed0fbaf52828e64c0262ebf1be03d97e32fdb09bf414909fd815c059977bf26184646d897cee76e8e170740caf6d4bf229c730690ae0cb00bfdb731ef417f3

            Download Submit

          • memory/1740-0-0x0000000000400000-0x0000000000551000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1740-15-0x0000000000400000-0x0000000000551000-memory.dmp

            Filesize

            1.3MB

            Download