Overview

overview

8

Static

static

7

bff5fecfbb...60.exe

windows7-x64

8

bff5fecfbb...60.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 05:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bff5fecfbb814b0565a627c7c0a65f60.exe

  • Size

    36KB

  • MD5

    bff5fecfbb814b0565a627c7c0a65f60

  • SHA1

    2938804ffc44880f5c1ed126c4676655b234267f

  • SHA256

    cfe0e620039776c31ca3b51330d30af8c961c1b68d2f7ec94da318eb4a73fda6

  • SHA512

    03204475f3cd898f6dbe8431a4c9458f2dbdaa3983565baef7fd3c805c9044c61a7e16cc7a13463d1e157967802cabe7db4badf3a9c94cfa7cf827d0c3ac32ff

  • SSDEEP

    768:hNH7nhU9mZzvky4wWPZrxSLXY+70YJN0wPTlga9NlLFlvHx:DH7WQWAyrALI+70YJ7PpFF5ZR

Score
8/10
persistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bff5fecfbb814b0565a627c7c0a65f60.exe
    "C:\Users\Admin\AppData\Local\Temp\bff5fecfbb814b0565a627c7c0a65f60.exe"
    1⤵
    • Adds policy Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3164
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
          PID:2224
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        2⤵
        • Launches sc.exe
        PID:3300
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4156
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          3⤵
            PID:372
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          2⤵
          • Launches sc.exe
          PID:3368
        • C:\Users\Admin\AppData\Local\Temp\h26lr2.exe
          C:\Users\Admin\AppData\Local\Temp\h26lr2.exe
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1580
          • C:\Windows\SysWOW64\net.exe
            net.exe stop "Security Center"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3216
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Security Center"
              4⤵
                PID:2652
            • C:\Windows\SysWOW64\sc.exe
              sc config wscsvc start= DISABLED
              3⤵
              • Launches sc.exe
              PID:4504
            • C:\Windows\SysWOW64\net.exe
              net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2860
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                4⤵
                  PID:1552
              • C:\Windows\SysWOW64\sc.exe
                sc config SharedAccess start= DISABLED
                3⤵
                • Launches sc.exe
                PID:4684
              • C:\Users\Admin\AppData\Local\Temp\h26lr2.exe
                C:\Users\Admin\AppData\Local\Temp\h26lr2.exe -dDBC83CD65592845BF60754730E4A946C5488C8BD452477A355300880F716461D7C021D355E69620F730997FF15500A154F47C73E7D172D7214732E9A60E67CE17C2B34B1D506C47EF4E41D4C64A77BACE8E53A7C6AE8986D40E25C34BE4AA8202B7E8E8094B91FB41BD80462A265EC8510DF4E6C82CB50651A35D19C5837EF5E191E78CFB49928EEC88BA7C5BA7FA221FA14718F808C271922B90A6FB754B65D19407FF38EFFD3F21C71A4FFD37E2283146C4EE15B7E34FD1B1BC351A590A1473B4F6F7ABAE057AB7915D95D57C7317112B9D4814E73CB4804D7FA852AEF954CD06F56A912A527E37F7E61C0EF29D591E3A63025D15582371FAFEB608F63B9DE6989812CAE24F95E0FF49AB685DD5181B811CDF69EAD2D86EDDB14465EF4704CD8947D95E9D5C3ED4B77227D400F2CDF03C45AC8ACEAE2D02F16319160FC60CD2C5316A35A48B86D939DD4A98A722A217540C4AD36B9F5C6E50540389D896DDAB7375A6CDBEE4E978878CE4A0CF1502FFE233661B437FB8A511B7D435EFEBD5B0B49963084B53ACB0C666EEBAF11E35CD0C71F21
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3144
                • C:\Windows\SysWOW64\net.exe
                  net.exe stop "Security Center"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1376
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Security Center"
                    5⤵
                      PID:1900
                  • C:\Windows\SysWOW64\sc.exe
                    sc config wscsvc start= DISABLED
                    4⤵
                    • Launches sc.exe
                    PID:1468
                  • C:\Windows\SysWOW64\net.exe
                    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4100
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                      5⤵
                        PID:3132
                    • C:\Windows\SysWOW64\sc.exe
                      sc config SharedAccess start= DISABLED
                      4⤵
                      • Launches sc.exe
                      PID:5040
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\f7lf8ipd.bat
                  2⤵
                    PID:748

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\f7lf8ipd.bat
                  Filesize

                  190B

                  MD5

                  b11ddfed0d3763a1f1309f152c7827f7

                  SHA1

                  0a64f505c574510606e0654610af7771577cfe7e

                  SHA256

                  047ee0c4032f6e5b751bc09ca01cb2c233208c905f59a9865952239b15af0baa

                  SHA512

                  26190652d06c84214a443aabfb344db18ba16b3def6ab08256291c365cea2474616928711ad6da97ede86a12c746b5bbfdacaafa4235b0e4913da78e2fca7205

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\h26lr2.exe
                  Filesize

                  36KB

                  MD5

                  bff5fecfbb814b0565a627c7c0a65f60

                  SHA1

                  2938804ffc44880f5c1ed126c4676655b234267f

                  SHA256

                  cfe0e620039776c31ca3b51330d30af8c961c1b68d2f7ec94da318eb4a73fda6

                  SHA512

                  03204475f3cd898f6dbe8431a4c9458f2dbdaa3983565baef7fd3c805c9044c61a7e16cc7a13463d1e157967802cabe7db4badf3a9c94cfa7cf827d0c3ac32ff

                  Download Submit

                • memory/1580-7-0x0000000000400000-0x0000000000423000-memory.dmp

                  Filesize

                  140KB

                  Download

                • memory/1580-17-0x0000000000400000-0x0000000000423000-memory.dmp

                  Filesize

                  140KB

                  Download

                • memory/1580-26-0x0000000000400000-0x0000000000423000-memory.dmp

                  Filesize

                  140KB

                  Download

                • memory/2788-0-0x0000000000400000-0x0000000000423000-memory.dmp

                  Filesize

                  140KB

                  Download

                • memory/2788-12-0x0000000000400000-0x0000000000423000-memory.dmp

                  Filesize

                  140KB

                  Download

                • memory/3144-18-0x0000000000400000-0x0000000000423000-memory.dmp

                  Filesize

                  140KB

                  Download

                • memory/3144-23-0x0000000000400000-0x0000000000423000-memory.dmp

                  Filesize

                  140KB

                  Download