Overview

overview

10

Static

static

1

b7d7d55c96...1d.exe

windows7-x64

10

b7d7d55c96...1d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2024, 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7d7d55c964c6888fb6120719202fb1d.exe

  • Size

    451KB

  • MD5

    b7d7d55c964c6888fb6120719202fb1d

  • SHA1

    a513bc72ef573ce215b436fd1ef71a27eab0d226

  • SHA256

    42e183f61735868b10c3a4b128496d2f51fb49458dc49715dde5dfda82828a3c

  • SHA512

    a229428dcddb6cfc126b7f4db42079e8fc22f05b1502444708d660a36da79da76a819bfebcd3c757f1e24dbe02d98535836378e53e938c3d4f8811e45c48cec7

  • SSDEEP

    1536:hO20qHkRRNpTNJo9KJt7i3ukMV111I8Yp45wzvShJFIn8lq93oFDeUXtk3ns:hMRjVo9uFiJu11upaEMq8Y3Utm

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7d7d55c964c6888fb6120719202fb1d.exe
    "C:\Users\Admin\AppData\Local\Temp\b7d7d55c964c6888fb6120719202fb1d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      2⤵
        PID:2112
      • C:\Users\Admin\AppData\Local\Temp\b7d7d55c964c6888fb6120719202fb1d.exe
        2⤵
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Users\Admin\E696D64614\winlogon.exe
          "C:\Users\Admin\E696D64614\winlogon.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3304
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\\svchost.exe
            4⤵
              PID:1400
            • C:\Users\Admin\E696D64614\winlogon.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3912
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:5016
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12
                  6⤵
                  • Program crash
                  PID:704
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:1832
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 12
                  6⤵
                  • Program crash
                  PID:416
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:2328
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 12
                  6⤵
                  • Program crash
                  PID:4384
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:3760
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 12
                  6⤵
                  • Program crash
                  PID:1544
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:2452
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 12
                  6⤵
                  • Program crash
                  PID:1520
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016
        1⤵
          PID:2292
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1832 -ip 1832
          1⤵
            PID:2112
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2328 -ip 2328
            1⤵
              PID:1680
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3760 -ip 3760
              1⤵
                PID:2696
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2452 -ip 2452
                1⤵
                  PID:3612

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\E696D64614\winlogon.exe
                  Filesize

                  451KB

                  MD5

                  b7d7d55c964c6888fb6120719202fb1d

                  SHA1

                  a513bc72ef573ce215b436fd1ef71a27eab0d226

                  SHA256

                  42e183f61735868b10c3a4b128496d2f51fb49458dc49715dde5dfda82828a3c

                  SHA512

                  a229428dcddb6cfc126b7f4db42079e8fc22f05b1502444708d660a36da79da76a819bfebcd3c757f1e24dbe02d98535836378e53e938c3d4f8811e45c48cec7

                  Download Submit

                • memory/748-0-0x0000000000400000-0x000000000041C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/748-3-0x0000000000400000-0x000000000041C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/748-4-0x0000000000400000-0x000000000041C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/748-15-0x0000000000400000-0x000000000041C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/1516-1-0x0000000000400000-0x0000000000420000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/3304-20-0x0000000000400000-0x0000000000420000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/3912-28-0x0000000000400000-0x000000000041C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/3912-34-0x0000000000400000-0x000000000041C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/3912-40-0x0000000000400000-0x000000000041C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/3912-46-0x0000000000400000-0x000000000041C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/3912-52-0x0000000000400000-0x000000000041C000-memory.dmp

                  Filesize

                  112KB

                  Download