Analysis

  • max time kernel
    142s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-03-2024 14:45

General

  • Target

    ce50c98a22c5bad5e0e92f23ab016967.exe

  • Size

    782KB

  • MD5

    ce50c98a22c5bad5e0e92f23ab016967

  • SHA1

    5ec869520c04a4849c09abc96ccc71a584cad4a7

  • SHA256

    417ec4ca38a56f66564399c5067336b48a9bb808a723c7dadc02b0632195b3a7

  • SHA512

    25641990de79254226cf872de83a11c55971101d95782f607e686cc4edaf8ef410ab7df1a0f17b8e90caf85d5ca1742e5cf83e8553159ce911d864685d6b1630

  • SSDEEP

    12288:dcQAwMhqkdhJn1mmv+e3HeVk6gCDBsn//FezmlGTlIMUiR5d0YCtTbrVoSq058an:63fHfJ1Pv+omkFnwz/eT+DNFHZDcn3

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 15 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce50c98a22c5bad5e0e92f23ab016967.exe
    "C:\Users\Admin\AppData\Local\Temp\ce50c98a22c5bad5e0e92f23ab016967.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XPLOIT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XPLOIT~1.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1212
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crack.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crack.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 324
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\XPLOIT~1.EXE

    Filesize

    556KB

    MD5

    11be018263858c59bfec03a9fc1bb826

    SHA1

    4f3b82b37da3ec714fdc564d8cf0f887dc138da7

    SHA256

    17530fd226aafaa13ec34609cf5387932c67120a6e36c7a8d036e3ca4a0e5c25

    SHA512

    c75391a246e052076a8d45c86530e628e9ffd9e9d405ed7e6b4ce57c4a9b4dc336d03fdc8800cb62cc0ea09ec83027617f0af7059da352d84b39bc0bdb487cb2

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\crack.exe

    Filesize

    324KB

    MD5

    adbcb556aabf27758191f3be3f466c36

    SHA1

    74020b415c530cfe3936f7a93304fcf0e95e2d6d

    SHA256

    6b3b92061e7424d098067feaf3faa976d9ae4212cb32e726fc7b166eb1427335

    SHA512

    34d0b7eafa22666d18f224bddc42c21288d2c6fd93c58be88637410318b60980cd08d2a839e2f6cf313541c6263da2787cbe8627ce5980d78c3f3e0cdd9cb5de

  • memory/1336-0-0x0000000001000000-0x0000000001103000-memory.dmp

    Filesize

    1.0MB

  • memory/1336-1-0x0000000000850000-0x0000000000953000-memory.dmp

    Filesize

    1.0MB

  • memory/1336-2-0x0000000000850000-0x0000000000953000-memory.dmp

    Filesize

    1.0MB

  • memory/1336-40-0x0000000001000000-0x0000000001103000-memory.dmp

    Filesize

    1.0MB