Overview

overview

7

Static

static

7

b7f6cbbe68...d5.exe

windows7-x64

7

b7f6cbbe68...d5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    81s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2024, 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7f6cbbe68d2d92b0721408708c37dd5.exe

  • Size

    126KB

  • MD5

    b7f6cbbe68d2d92b0721408708c37dd5

  • SHA1

    9ce99e33a1a4e161bb2b6fb99003f79d9778fc59

  • SHA256

    529365d7e6520ef2d812fc361a135d910d639a6468d0203fcddf6e0819661832

  • SHA512

    a9aec2fe83a9ef871cc3b94ce53c9ec52e1df736847cb4a0f0ecdea36a2d28a637ceb124a812f081ffeac8607e9263312ae203cd2f5a36101f819a93f673f360

  • SSDEEP

    3072:dDKERFTYi2rQULKl6hp1fD4JQONLKcvM3/BLBvout2s:FKERFTYi2s6Kl+DbOdDvM35LxoS2

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7f6cbbe68d2d92b0721408708c37dd5.exe
    "C:\Users\Admin\AppData\Local\Temp\b7f6cbbe68d2d92b0721408708c37dd5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\redsu.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "run32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe" /f
        3⤵
        • Adds Run key to start application
        PID:212
    • C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe
      "C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4628
      • C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe
        C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Users\Admin\AppData\Roaming\000000000.exe
          "C:\Users\Admin\AppData\Roaming\000000000.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1072
          • C:\Users\Admin\AppData\Roaming\000000000.exe
            C:\Users\Admin\AppData\Roaming\000000000.exe
            5⤵
            • Executes dropped EXE
            PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\redsu.bat
    Filesize

    143B

    MD5

    a18a2abad17b668162699428d77107b8

    SHA1

    153bafd32584d527e7be1233203adc6bff2658a0

    SHA256

    d0c4c5b6a90a9c986028d946c11321b250773da41e64a63f16fa94652e3f3b5f

    SHA512

    f8f26a185b0735c0f0859a8eb03d35a0313062efb080d83569b7620a445be2318c0e594a539719bf88a3ec3417f0d1954137620c2fd83bf9214b89fca8126556

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe
    Filesize

    126KB

    MD5

    b7f6cbbe68d2d92b0721408708c37dd5

    SHA1

    9ce99e33a1a4e161bb2b6fb99003f79d9778fc59

    SHA256

    529365d7e6520ef2d812fc361a135d910d639a6468d0203fcddf6e0819661832

    SHA512

    a9aec2fe83a9ef871cc3b94ce53c9ec52e1df736847cb4a0f0ecdea36a2d28a637ceb124a812f081ffeac8607e9263312ae203cd2f5a36101f819a93f673f360

    Download Submit

  • memory/684-18-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/684-0-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1072-97-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1072-105-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2964-108-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4628-19-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4628-29-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4652-26-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4652-33-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4652-32-0x00000000005B0000-0x00000000005B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4652-28-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4652-106-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4652-22-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download