Overview

overview

7

Static

static

7

d5d95b2012...be.exe

windows7-x64

7

d5d95b2012...be.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2024, 10:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d5d95b201227495c3dab01ee5e000bbe.exe

  • Size

    26KB

  • MD5

    d5d95b201227495c3dab01ee5e000bbe

  • SHA1

    5e0865463ca153a3b9918adc2f83216afb8ea49e

  • SHA256

    6a4d3df650f48473baa137ef73a5a3c2377ba429da3abea0c78986eb93492d9a

  • SHA512

    dffd3baf4216584c8604c0ff52099721ae8d1ef5b7034f0991e841e926a2a91e36577d4525c160a4be2620fc5b1874ec7391402cca74ec0a79c5f1fde8f01769

  • SSDEEP

    768:/MB9lkHJQtknQDhm2ek74QNC+LQXcbjRw0S5Z:/YwHJIErk74Qo+L720S5

Score
7/10
persistenceupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5d95b201227495c3dab01ee5e000bbe.exe
    "C:\Users\Admin\AppData\Local\Temp\d5d95b201227495c3dab01ee5e000bbe.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Windows\SysWOW64\sfc.exe
      C:\Windows\system32\sfc.exe /REVERT
      2⤵
        PID:3788
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\golnoia.dll,init
        2⤵
        • Loads dropped DLL
        • Modifies WinLogon
        PID:2044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 688
          3⤵
          • Program crash
          PID:3936
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c C:\Windows\system32\bitmap.bat
        2⤵
          PID:1420
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2044 -ip 2044
        1⤵
          PID:4776

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\SysWOW64\bitmap.bat
                Filesize

                193B

                MD5

                131d8fd1294a1a9afc14140f5d9fea46

                SHA1

                85d0cfa3d165ca5267dba35ce24db25196b85b82

                SHA256

                a7aaecfc75ce131a12df834efa8a4fd6cfcc9504c5877b0656fe4d531d63471e

                SHA512

                450ad669acc91733139faf10c60196fb2a270fbfc9b9bb3ef6eec65229e18a3e609d5080648964d337ab1ffad8ae70c9aba79d97550d10ffafa74c6d368194b2

                Download Submit

              • C:\Windows\SysWOW64\golnoia.dll
                Filesize

                14KB

                MD5

                157582aa8ec44b5c32c8d7fdaf053130

                SHA1

                4c308bfc65c8db5c71bac4ff1a16e3a41a18f8b5

                SHA256

                e333a82075edb15a1cffaff7557830e94a30620badf3ab2828fbfd7e7d21173c

                SHA512

                b4313e84ac49dc0c72d1508b4154e76ed7d57feb52a05ba8fc79d21d70afeefbbff0a991dbb8489653a9acdf4e7285162204973858f4632fa473a55f4092a4a1

                Download Submit

              • memory/876-0-0x0000000000400000-0x000000000040F000-memory.dmp

                Filesize

                60KB

                Download

              • memory/876-8-0x0000000000400000-0x000000000040F000-memory.dmp

                Filesize

                60KB

                Download

              • memory/2044-11-0x0000000010000000-0x000000001000F000-memory.dmp

                Filesize

                60KB

                Download

              • memory/2044-13-0x0000000010000000-0x000000001000F000-memory.dmp

                Filesize

                60KB

                Download