Overview

overview

8

Static

static

7

dece8e327e...5b.exe

windows7-x64

8

dece8e327e...5b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2024 09:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dece8e327ece0f240afdbcef1456345b.exe

  • Size

    16KB

  • MD5

    dece8e327ece0f240afdbcef1456345b

  • SHA1

    0e6c07f684c83120d150c1a72fb46a71b0f90e55

  • SHA256

    86c989534785cd8af2b858d14d551784abf32a1f91ad9b9fbf43da67f7329ca5

  • SHA512

    06fea16c324e13d22daeb3c270bb16d0dfe9392c5fd1d819e259f466530030c09e2fe31ac1087a012fd1b4b315d4dfbb34bd453ebd3594830308f17ec61c59e6

  • SSDEEP

    384:j7Ho1zZtx6RxPQNZ8uPClPMHGdRyfl+CN72mTH3Q4:cdtuHTYGdRyfQk71TXR

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:592
    • C:\Users\Admin\AppData\Local\Temp\dece8e327ece0f240afdbcef1456345b.exe
      "C:\Users\Admin\AppData\Local\Temp\dece8e327ece0f240afdbcef1456345b.exe"
      1⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SysWOW64\NET.exe
        NET STOP Beep
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 STOP Beep
          3⤵
            PID:1892
        • C:\Windows\SysWOW64\NET.exe
          NET START Beep
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2188
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 START Beep
            3⤵
              PID:2516
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Windows\system32\me.bat
            2⤵
            • Deletes itself
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Windows\SysWOW64\attrib.exe
              attrib -h -s -r -a C:\Windows\system32\me.bat
              3⤵
              • Drops file in System32 directory
              • Views/modifies file attributes
              PID:2440
        • C:\Windows\MyLover\MyLoverMain.exe
          C:\Windows\MyLover\MyLoverMain.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\MyLover\MyLoverMain.exe
          Filesize

          16KB

          MD5

          dece8e327ece0f240afdbcef1456345b

          SHA1

          0e6c07f684c83120d150c1a72fb46a71b0f90e55

          SHA256

          86c989534785cd8af2b858d14d551784abf32a1f91ad9b9fbf43da67f7329ca5

          SHA512

          06fea16c324e13d22daeb3c270bb16d0dfe9392c5fd1d819e259f466530030c09e2fe31ac1087a012fd1b4b315d4dfbb34bd453ebd3594830308f17ec61c59e6

          Download Submit

        • C:\Windows\SysWOW64\drivers\beep.sys
          Filesize

          4KB

          MD5

          3bbf4bbec9e7720a9a53c8911dfa3aab

          SHA1

          f50695daf4f0b366b12e9c065519295d03cf6d3f

          SHA256

          c0bed2920e25a28af51029d5deaafff82d0955f8bd8e7ea21d2bdbd3e177c7c0

          SHA512

          b9263452daa0247d8c9f75cdc1b837a56d526804d9c559e2790c78371307f9e3d0ec9a584d8463acd02d57ce75f523e3c2e4dab2a4d4e2ed0e0ddd22d335fb36

          Download Submit

        • C:\Windows\SysWOW64\me.bat
          Filesize

          137B

          MD5

          ebee714e79788761d1446290218912e7

          SHA1

          e5c52c83fa1e8607ebf5efecbec8ac092c3e21d5

          SHA256

          9e4daaf21241446c920bdfbba643a053bd4c8fbf22e7205ced113c4db908279e

          SHA512

          ebe56bb6e22ef76422f5e0ed9da33886da633eafe7b225eb35a754b5448ed558a5ccafa4194b9559eb9028b1158dff5551921e5b892ba9c11a8ee5ccc49aa526

          Download Submit

        • \Windows\MyLover\MyLoverDll.dat
          Filesize

          11KB

          MD5

          f502f7533e37157b70d6871ef93bc65d

          SHA1

          a2b7b7cefa310c41018371147ba64c2deb53e0c3

          SHA256

          55c96bbe5490b47a82b7dda9dd751c137fec4aa39dbd5ec01c29c5ca1685019c

          SHA512

          272872e7022cfba8448a0cbaef5473db3d949c2eeff0521c870045190f12f8641b37bae26170916eb117887f15f4c169fc0e1c7443e1a58db6203fb44a3bc24a

          Download Submit

        • memory/592-27-0x00000000002D0000-0x00000000002D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2340-4-0x0000000000160000-0x000000000016B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2340-12-0x0000000000160000-0x000000000016B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2908-20-0x0000000000160000-0x000000000016B000-memory.dmp

          Filesize

          44KB

          Download