Overview

overview

9

Static

static

3

991a981068...40.exe

windows7-x64

9

991a981068...40.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    12-03-2024 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    991a981068b0d7e68c714468ca240342bb5d64306a6340c5420537fa5604e740.exe

  • Size

    144KB

  • MD5

    6297d37be19fa2d9875c1a6e3180cfdb

  • SHA1

    e8cc9b46495e24009b35e53b318f6bab473eb3c1

  • SHA256

    991a981068b0d7e68c714468ca240342bb5d64306a6340c5420537fa5604e740

  • SHA512

    1869f60db34181f63047e4c41d38806d3eca0fe84e6231881159576dd5d29f38a7b0b5dbf7b8a17e795fcc57207099af5392439ae544634673d702b8568a04dc

  • SSDEEP

    3072:l5SVkkgUgXC7AdYzrV+Dljy/32ubwZ/qJ:SUFCkdYzrVolu/J0Z/

Score
9/10
persistenceupx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\991a981068b0d7e68c714468ca240342bb5d64306a6340c5420537fa5604e740.exe
    "C:\Users\Admin\AppData\Local\Temp\991a981068b0d7e68c714468ca240342bb5d64306a6340c5420537fa5604e740.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\991a981068b0d7e68c714468ca240342bb5d64306a6340c5420537fa5604e740.exe
      "C:\Users\Admin\AppData\Local\Temp\991a981068b0d7e68c714468ca240342bb5d64306a6340c5420537fa5604e740.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NHMIJ.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
          4⤵
          • Adds Run key to start application
          PID:2328
      • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
        "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3032
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:548
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NHMIJ.bat
    Filesize

    157B

    MD5

    f6a90c20834f271a907a4e2bc28184c2

    SHA1

    36c9d1602b74f622346fbb22693597d7889df48d

    SHA256

    73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

    SHA512

    39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

    Download Submit

  • \Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    Filesize

    144KB

    MD5

    53e7b09b3c0be7ec682e3f09bd70e369

    SHA1

    0f7440184915f157ad7b50dcf8037ab3e048cc7f

    SHA256

    409773e4ed27722a51e9471a3ae50e99277d3ba9125c3027c153a3050e82495c

    SHA512

    9cdbd551e2cdcbe17839247f86d2e18a6257553e3aa48cb61683e2910926ab4fba7194d7c0bc9a2dcadb36854eafbd71640a6689c836a4e4080c8600b38e7dfc

    Download Submit

  • memory/548-1084-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2332-1081-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2332-1087-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2680-438-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2680-443-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2680-1080-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3028-2-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3028-105-0x0000000001D30000-0x0000000001D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3032-617-0x00000000024F0000-0x00000000024F1000-memory.dmp

    Filesize

    4KB

    Download