Overview

overview

10

Static

static

3

eeeeeeeeee...00.exe

windows7-x64

eeeeeeeeee...00.exe

windows10-2004-x64

eeeeeeeeee...um.exe

windows7-x64

10

eeeeeeeeee...um.exe

windows10-2004-x64

10

eeeeeeeeee...ug.exe

windows7-x64

6

eeeeeeeeee...ug.exe

windows10-2004-x64

6

eeeeeeeeee...le.exe

windows7-x64

1

eeeeeeeeee...le.exe

windows10-2004-x64

1

eeeeeeeeee...er.exe

windows7-x64

7

eeeeeeeeee...er.exe

windows10-2004-x64

7

eeeeeeeeee...us.exe

windows7-x64

1

eeeeeeeeee...us.exe

windows10-2004-x64

1

MEMZ 3.0/MEMZ.bat

windows7-x64

7

MEMZ 3.0/MEMZ.bat

windows10-2004-x64

7

MEMZ 3.0/MEMZ.exe

windows7-x64

6

MEMZ 3.0/MEMZ.exe

windows10-2004-x64

7

eeeeeeeeee...MZ.bat

windows7-x64

7

eeeeeeeeee...MZ.bat

windows10-2004-x64

7

eeeeeeeeee...MZ.exe

windows7-x64

6

eeeeeeeeee...MZ.exe

windows10-2004-x64

7

eeeeeeeeee...ld.exe

windows7-x64

3

eeeeeeeeee...ld.exe

windows10-2004-x64

7

eeeeeeeeee....A.exe

windows7-x64

6

eeeeeeeeee....A.exe

windows10-2004-x64

6

eeeeeeeeee...al.exe

windows7-x64

7

eeeeeeeeee...al.exe

windows10-2004-x64

8

eeeeeeeeee...15.exe

windows7-x64

3

eeeeeeeeee...15.exe

windows10-2004-x64

3

eeeeeeeeee...al.exe

windows7-x64

7

eeeeeeeeee...al.exe

windows10-2004-x64

8

eeeeeeeeee...0r.exe

windows7-x64

10

eeeeeeeeee...0r.exe

windows10-2004-x64

10

Resubmissions

15-09-2024 23:12

240915-27aqvsxhjq 8

15-09-2024 23:02

240915-21efgaxake 8

15-09-2024 22:58

240915-2xypyaxdkj 3

15-09-2024 22:56

240915-2wn44sxcpk 3

15-09-2024 22:43

240915-2np2fawhpr 3

15-09-2024 22:42

240915-2m3k5swhmk 10

15-09-2024 22:33

240915-2gqdmawbja 8

15-09-2024 22:27

240915-2de4gswekk 7

15-09-2024 22:15

240915-16esravenh 10

Analysis

  • max time kernel
    124s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2024 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Central/[email protected]

  • Size

    904KB

  • MD5

    0315c3149c7dc1d865dc5a89043d870d

  • SHA1

    f74546dda99891ca688416b1a61c9637b3794108

  • SHA256

    90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9

  • SHA512

    7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

  • SSDEEP

    24576:bnQv6Dyxn2Qx0KHizHWKxHuyCcZFyXR1tG:2OE2QtCzhh/7R

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 10 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 40 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Security Central\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Security Central\[email protected]"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Security Central\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Security Central\[email protected]"
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Program Files (x86)\Security Central\Security Central.exe
        "C:\Program Files (x86)\Security Central\Security Central.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Program Files (x86)\Security Central\Security Central.exe
          "C:\Program Files (x86)\Security Central\Security Central.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:3100
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1884
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:3404
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4536
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2516
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1268
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:316
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2856
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:976
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1204
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2240
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4916
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      PID:2060
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      PID:4684
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      PID:2388
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      PID:3236
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      PID:4288
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:3856
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:4500
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:5060
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:1804
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:3152
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:3104
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:4700
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:4000
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                        PID:4020
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                          PID:1260
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:2976
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                              PID:180
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                                PID:4488
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:2908
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                    PID:3788
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                      PID:4644

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Program Files (x86)\Security Central\Security Central.exe
                                      Filesize

                                      904KB

                                      MD5

                                      0315c3149c7dc1d865dc5a89043d870d

                                      SHA1

                                      f74546dda99891ca688416b1a61c9637b3794108

                                      SHA256

                                      90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9

                                      SHA512

                                      7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
                                      Filesize

                                      1022B

                                      MD5

                                      7b5058e4550fa36515c5abb454ba8a4b

                                      SHA1

                                      fb6f6d9acbe9dd98af89d4f52d305fc3b951201b

                                      SHA256

                                      031e1533a094b24157d505d6907a1ede907247faa8d7d4b8570d111fb3c1417f

                                      SHA512

                                      1fc9e878a24d4f73ca058daeb7962ff211017104752846336aadcc960df36b3d0fa169485205db41a13175153f844dfdff9c27106461c431b0ea9a70e5384c51

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
                                      Filesize

                                      28KB

                                      MD5

                                      018691198497af09b951f40b43a6fe68

                                      SHA1

                                      0352768a55f521e5fed64fcd61dc92f8b7e3d33b

                                      SHA256

                                      6b907466a089f221f0f4ec891f7f16e308f0e43e276ab4ab0d6da2a8e138ad2b

                                      SHA512

                                      0584d5536bee7f4a263e61e8fbc1f42e070eeb41af5cc59be1c8f80df02c0a199ab75466e859ee90f63778b0c580e5b4ab75bff09710e52f0e11a20b5a78edf8

                                      Download Submit

                                    • C:\Users\Admin\Desktop\Security Central.lnk
                                      Filesize

                                      1KB

                                      MD5

                                      d59f65e0bbdb9644de1fa1811f640b8b

                                      SHA1

                                      00d1f3b210e9e5b1ab8f2ff755d897d5f6624a97

                                      SHA256

                                      7b020a1bcb987588b44c48eec61c6a3cd6d189e85a27b50bb19023cc546f693c

                                      SHA512

                                      5b54b092308061411ef60d1016b0d69243e9c3b3ab5cc6d605d29477bd8dee120a7d39b97284a0958f5c5a121aebc321b42236ef7d964727f30a3a4f6f41f2be

                                      Download Submit

                                    • memory/316-43-0x0000000004C30000-0x0000000004C31000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/1276-2-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/1276-4-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/1276-5-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/1276-6-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/1276-7-0x0000000002980000-0x0000000002981000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/1276-19-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-31-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-40-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-32-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-33-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-34-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-35-0x0000000000F10000-0x0000000000F11000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/3100-27-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-26-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-25-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-23-0x0000000000F10000-0x0000000000F11000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/3100-46-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-48-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-49-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-50-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-51-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3100-52-0x0000000000400000-0x0000000000A35000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download