Overview

overview

8

Static

static

3

cc108bb4de...2d.exe

windows7-x64

8

cc108bb4de...2d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2024, 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc108bb4dea00977c9bdcf20a646592d.exe

  • Size

    21KB

  • MD5

    cc108bb4dea00977c9bdcf20a646592d

  • SHA1

    3b140491ba7cc1030effaa0bda7adcb5c363f2e1

  • SHA256

    10a36f7be234de1641ee50e83f942c19441aec2ead10dc45e78540be08db07c9

  • SHA512

    2aacacc95ee238fc4bf0213f2838ddcb74ee36d811c6386b3aef95d12b747160d4daf676c21c64bd0433eee6a792ff58838318b2974aa32f7451b02e3867bb89

  • SSDEEP

    384:IHGcKp+ca2b2wANTzKwCAK276EZ2KzFG3//O+3NQw/m/2JD:b9wca2Gz4A+MzzFYv3N/

Score
8/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc108bb4dea00977c9bdcf20a646592d.exe
    "C:\Users\Admin\AppData\Local\Temp\cc108bb4dea00977c9bdcf20a646592d.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall set allowedprogram "C:\Windows\system32\sysvx.exe" enable
      2⤵
      • Modifies Windows Firewall
      • Loads dropped DLL
      PID:2032
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1004
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:3152
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 544
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:4472
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\SysWOW64\sysvx.exe
        C:\Windows\system32\sysvx.exe 27970
        3⤵
        • Executes dropped EXE
        PID:1400
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Loads dropped DLL
      PID:4360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 512
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:3060
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Loads dropped DLL
      PID:3916
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 512
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:3464
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Loads dropped DLL
      PID:228
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 512
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:4272
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2032 -ip 2032
    1⤵
      PID:4128
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3152 -ip 3152
      1⤵
        PID:804
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4472 -ip 4472
        1⤵
          PID:1588
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4360 -ip 4360
          1⤵
            PID:2456
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3060 -ip 3060
            1⤵
              PID:3276
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3916 -ip 3916
              1⤵
                PID:804
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3464 -ip 3464
                1⤵
                  PID:4728
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 228 -ip 228
                  1⤵
                    PID:2772
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4272 -ip 4272
                    1⤵
                      PID:3764
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4312 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
                      1⤵
                        PID:3204

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\SysWOW64\comdlg64.dll
                        Filesize

                        4KB

                        MD5

                        ed69d97b86c3b5e260034b60d656d26b

                        SHA1

                        eb4f1739e60366745bf96d482bd06f77a9659422

                        SHA256

                        57ab44c33e5fc31f11705c54d288821a1615834fccd692b211725002eaea8c50

                        SHA512

                        b3d25357c5bcd4ae14faed29915f175030248ce718012c768a82a4ae9c386998d02995c180f400b061122c21866ef8317c9117efaf965b7d29cd451cc644c153

                        Download Submit

                      • C:\Windows\SysWOW64\sysvx.exe
                        Filesize

                        5KB

                        MD5

                        8c878da4d37289592c176af50b7e065c

                        SHA1

                        2003dc1fbda380b2ebe2a4eba4481453ccb19bc7

                        SHA256

                        ae676053950e4233eb6b6483542d34f45e51f3cbc917cd705b702af83467e34d

                        SHA512

                        8bf4ca7e3f45e4cf7a31b27196d15d8beda29b897f960e351133884a50f75ab182f1f61840b358ccef1caa178b1e0b6d49c1411eac2bc214f96607de3dfc5264

                        Download Submit

                      • memory/228-37-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1400-38-0x0000000000400000-0x000000000040B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/1400-23-0x0000000000400000-0x000000000040B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/2032-14-0x0000000000400000-0x0000000000406000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/2988-17-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3916-36-0x0000000000D00000-0x0000000000D06000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/3916-31-0x0000000000130000-0x0000000000131000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3916-34-0x0000000000D00000-0x0000000000D06000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/4316-45-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-48-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-72-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-11-0x0000000000A90000-0x0000000000A96000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/4316-0-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-10-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-6-0x0000000000A90000-0x0000000000A96000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/4316-42-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-16-0x0000000000A90000-0x0000000000A96000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/4316-26-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-51-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-54-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-57-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-60-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-63-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-66-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4316-69-0x0000000000400000-0x0000000000407000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/4360-25-0x0000000000C60000-0x0000000000C61000-memory.dmp

                        Filesize

                        4KB

                        Download