Overview

overview

7

Static

static

7

c5ad35303d...df.exe

windows7-x64

7

c5ad35303d...df.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5ad35303d1ffad33cc1e0149b9944df.exe

  • Size

    45KB

  • MD5

    c5ad35303d1ffad33cc1e0149b9944df

  • SHA1

    fc4a3308f089804f24adaa0852ab57ac8e2b13d4

  • SHA256

    44310c7190866c75e9e1b11adf2e5024ea48c90230b6737e5aca7d6667600f57

  • SHA512

    457a82a5f8d9f065cf819901bdcdeae90d5cec8ec6d191c9b4b717f7417b937c17d5c66ca62125a8284d857420182a66bf1b101ea454cd62aafd0eac6435bea3

  • SSDEEP

    768:QLQYBHWBRmiYlg+RA+sT4+AxHelme8IdezhYvl62MzXO40jc07wNR:vYloR5l+RXshGHel8+vDMb10c

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in Program Files directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5ad35303d1ffad33cc1e0149b9944df.exe
    "C:\Users\Admin\AppData\Local\Temp\c5ad35303d1ffad33cc1e0149b9944df.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop sharedaccess
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop sharedaccess
        3⤵
          PID:2524
      • C:\Program Files\Internet Explorer\SPLOPE.exe
        "C:\Program Files\Internet Explorer\SPLOPE.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop sharedaccess
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop sharedaccess
            4⤵
              PID:2540
          • C:\Program Files\Internet Explorer\SPLOPE.exe
            "C:\Program Files\Internet Explorer\SPLOPE.exe"
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:2448
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop sharedaccess
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2416
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop sharedaccess
                5⤵
                  PID:2160
              • C:\Program Files\Internet Explorer\SPLOPE.exe
                "C:\Program Files\Internet Explorer\SPLOPE.exe"
                4⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Program Files directory
                • Suspicious use of WriteProcessMemory
                PID:1508
                • C:\Windows\SysWOW64\net.exe
                  "C:\Windows\System32\net.exe" stop sharedaccess
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:856
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop sharedaccess
                    6⤵
                      PID:1760
                  • C:\Program Files\Internet Explorer\SPLOPE.exe
                    "C:\Program Files\Internet Explorer\SPLOPE.exe"
                    5⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Drops file in Program Files directory
                    • Suspicious use of WriteProcessMemory
                    PID:940
                    • C:\Windows\SysWOW64\net.exe
                      "C:\Windows\System32\net.exe" stop sharedaccess
                      6⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2280
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop sharedaccess
                        7⤵
                          PID:2620
                      • C:\Program Files\Internet Explorer\SPLOPE.exe
                        "C:\Program Files\Internet Explorer\SPLOPE.exe"
                        6⤵
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Drops file in Program Files directory
                        • Suspicious use of WriteProcessMemory
                        PID:2336
                        • C:\Windows\SysWOW64\net.exe
                          "C:\Windows\System32\net.exe" stop sharedaccess
                          7⤵
                            PID:2644
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop sharedaccess
                              8⤵
                                PID:2568
                            • C:\Program Files\Internet Explorer\SPLOPE.exe
                              "C:\Program Files\Internet Explorer\SPLOPE.exe"
                              7⤵
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Drops file in Program Files directory
                              PID:2212
                              • C:\Windows\SysWOW64\net.exe
                                "C:\Windows\System32\net.exe" stop sharedaccess
                                8⤵
                                  PID:816
                                  • C:\Windows\SysWOW64\net1.exe
                                    C:\Windows\system32\net1 stop sharedaccess
                                    9⤵
                                      PID:1924
                                  • C:\Program Files\Internet Explorer\SPLOPE.exe
                                    "C:\Program Files\Internet Explorer\SPLOPE.exe"
                                    8⤵
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    • Drops file in Program Files directory
                                    PID:1904
                                    • C:\Windows\SysWOW64\net.exe
                                      "C:\Windows\System32\net.exe" stop sharedaccess
                                      9⤵
                                        PID:2992
                                        • C:\Windows\SysWOW64\net1.exe
                                          C:\Windows\system32\net1 stop sharedaccess
                                          10⤵
                                            PID:1584
                                        • C:\Program Files\Internet Explorer\SPLOPE.exe
                                          "C:\Program Files\Internet Explorer\SPLOPE.exe"
                                          9⤵
                                          • Executes dropped EXE
                                          • Adds Run key to start application
                                          • Drops file in Program Files directory
                                          PID:1548
                                          • C:\Windows\SysWOW64\net.exe
                                            "C:\Windows\System32\net.exe" stop sharedaccess
                                            10⤵
                                              PID:2044
                                              • C:\Windows\SysWOW64\net1.exe
                                                C:\Windows\system32\net1 stop sharedaccess
                                                11⤵
                                                  PID:616
                                              • C:\Program Files\Internet Explorer\SPLOPE.exe
                                                "C:\Program Files\Internet Explorer\SPLOPE.exe"
                                                10⤵
                                                • Executes dropped EXE
                                                • Adds Run key to start application
                                                • Drops file in Program Files directory
                                                PID:2960
                                                • C:\Windows\SysWOW64\net.exe
                                                  "C:\Windows\System32\net.exe" stop sharedaccess
                                                  11⤵
                                                    PID:2020
                                                    • C:\Windows\SysWOW64\net1.exe
                                                      C:\Windows\system32\net1 stop sharedaccess
                                                      12⤵
                                                        PID:2156
                                                    • C:\Program Files\Internet Explorer\SPLOPE.exe
                                                      "C:\Program Files\Internet Explorer\SPLOPE.exe"
                                                      11⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      PID:2808
                                                      • C:\Windows\SysWOW64\net.exe
                                                        "C:\Windows\System32\net.exe" stop sharedaccess
                                                        12⤵
                                                          PID:2060
                                                          • C:\Windows\SysWOW64\net1.exe
                                                            C:\Windows\system32\net1 stop sharedaccess
                                                            13⤵
                                                              PID:2616

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Program Files\Internet Explorer\SPLOPE.dat
                                      Filesize

                                      426B

                                      MD5

                                      99cdac74312ddd8fcf0720e4461893c7

                                      SHA1

                                      6bb768c9fb2b261b422c7ca1b20aa48ed35b8e52

                                      SHA256

                                      5c7867163b33836c71c9957b0b6a70c7c3d9d9521288841a5ecbd9e649e592c6

                                      SHA512

                                      90093584433e4e1c64c34c9d143eaf1f852f78490cb7acca4df6a64a8acf507d5895cfd361ed0d596ef746f83b382fc7c8a0c3a716d753b043defc306af1c9ef

                                      Download Submit

                                    • \Program Files\Internet Explorer\SPLOPE.exe
                                      Filesize

                                      45KB

                                      MD5

                                      c5ad35303d1ffad33cc1e0149b9944df

                                      SHA1

                                      fc4a3308f089804f24adaa0852ab57ac8e2b13d4

                                      SHA256

                                      44310c7190866c75e9e1b11adf2e5024ea48c90230b6737e5aca7d6667600f57

                                      SHA512

                                      457a82a5f8d9f065cf819901bdcdeae90d5cec8ec6d191c9b4b717f7417b937c17d5c66ca62125a8284d857420182a66bf1b101ea454cd62aafd0eac6435bea3

                                      Download Submit

                                    • memory/940-36-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/940-28-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/1508-23-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/1508-31-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/1548-54-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/1548-47-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/1904-42-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/1904-50-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2212-45-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2336-33-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2336-40-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2448-26-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2448-18-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2460-14-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2460-0-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2460-10-0x00000000021E0000-0x0000000002204000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2752-11-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2752-21-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2808-56-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2808-60-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download

                                    • memory/2960-59-0x0000000000400000-0x0000000000424000-memory.dmp

                                      Filesize

                                      144KB

                                      Download