Overview

overview

7

Static

static

7

c8d8fdac27...b9.exe

windows7-x64

7

c8d8fdac27...b9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2024 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8d8fdac27cc949b61068557b9865fb9.exe

  • Size

    16KB

  • MD5

    c8d8fdac27cc949b61068557b9865fb9

  • SHA1

    78ce330d6094faebe73421969697c0e0451eaa34

  • SHA256

    acf7e43409f664459d434b0c26aa43b32d3cd8ccb7f9cf1f94791d6d8cff4772

  • SHA512

    e73aaf0effda47e4899c61a7a406f5a5c0b32fc674aa4104f22e7c518059afa561d9ee4b60a54b908aaba0b891e509aa9c32d78aa769b4c18dbfd8ba5325ab43

  • SSDEEP

    384:ETg5JntEt/+HTyc5HP/+ITO+M7RRG+2sFM03LKrgdvH:SujE/+HTZ5He+9MtRGgJH

Score
7/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3376
      • C:\Users\Admin\AppData\Local\Temp\c8d8fdac27cc949b61068557b9865fb9.exe
        "C:\Users\Admin\AppData\Local\Temp\c8d8fdac27cc949b61068557b9865fb9.exe"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\system32\me.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Windows\SysWOW64\attrib.exe
            attrib -h -s -r -a C:\Windows\system32\me.bat
            4⤵
            • Drops file in System32 directory
            • Views/modifies file attributes
            PID:1172
    • C:\Windows\MyLover\MyLoverMain.exe
      C:\Windows\MyLover\MyLoverMain.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1556
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2808 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1888

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\MyLover\MyLoverDll.dat
        Filesize

        7KB

        MD5

        0f7132e41de4555759bd5b1d9161518b

        SHA1

        0e7310b8bd02fe1fad452b588d045d2ce45564b9

        SHA256

        329ffb43994029bf1c26d571ad7628101b1bb89a1fd955449392aa2f0d9d0f0b

        SHA512

        e627805c3ae6a69d6dc39fc1e95b082caa8a81ea9b60212b735b1f3b4375bb98808654f849af6a3ccbf6a06e75ab3bdd92d7a237f52cdd381e9ad8ab56d11c2b

        Download Submit

      • C:\Windows\MyLover\MyLoverMain.exe
        Filesize

        16KB

        MD5

        c8d8fdac27cc949b61068557b9865fb9

        SHA1

        78ce330d6094faebe73421969697c0e0451eaa34

        SHA256

        acf7e43409f664459d434b0c26aa43b32d3cd8ccb7f9cf1f94791d6d8cff4772

        SHA512

        e73aaf0effda47e4899c61a7a406f5a5c0b32fc674aa4104f22e7c518059afa561d9ee4b60a54b908aaba0b891e509aa9c32d78aa769b4c18dbfd8ba5325ab43

        Download Submit

      • C:\Windows\MyLover\MyLoverSYS.dat
        Filesize

        4KB

        MD5

        feb71e4db21503b3587426882494167c

        SHA1

        14385c2301ee96e9110d6cdf6c5f4567460f7cba

        SHA256

        76537e7ae97b382304b5ed5e0eb9b276913d58417dbc78b8c3b8ec34c9e4b221

        SHA512

        6a067a615bc910854f92ec2051050aa255fa523943d73a41a3e41fd1abc0fc2ef04ec90832efbdce5aabdcfa06e01ed524a7a91754f983d1ff68febeba5c6c30

        Download Submit

      • C:\Windows\SysWOW64\me.bat
        Filesize

        160B

        MD5

        4c36c8458c64f1553abff5d866a46464

        SHA1

        5ad5a6e12ce12d1e33504d89f4212dcbf33f51c7

        SHA256

        ebe484ca64d0f59068d1140e6fc226778e4422b274fec7839ffde37f4cf88fec

        SHA512

        a8d303f277af5c3ea55795886db33d8f793d278cabda629893d25b8c7b132d6ecd00854e46c4c94c347780ecccd123ec8539b2ddfd09f6eec69e2bdf436d08c8

        Download Submit

      • memory/1388-0-0x0000000000160000-0x000000000016A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1388-7-0x0000000000160000-0x000000000016A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1556-19-0x0000000010000000-0x0000000010008000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1556-24-0x0000000000160000-0x000000000016A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1556-25-0x0000000010000000-0x0000000010008000-memory.dmp

        Filesize

        32KB

        Download