Overview

overview

8

Static

static

7

df98bf0787...3d.exe

windows7-x64

8

df98bf0787...3d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2024, 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df98bf0787c847eda952aa050c47ec3d.exe

  • Size

    33KB

  • MD5

    df98bf0787c847eda952aa050c47ec3d

  • SHA1

    671f6e5d1cfe96f35ae7f4139a26127e8f581654

  • SHA256

    2c00460fb294b93f4d4675d47b3d6a9064fda1b23a2493181f7f9ae82c7fee80

  • SHA512

    ce1535845114a6373fb759105bf0a1cb0f79f111ba76f06dc24ceece5dc115e0d803d59b81966a1866650f8c5eff26d783336871231118dc087bb2e0c739d2ff

  • SSDEEP

    768:7kvk6dsQ08wOEFPRxOYU9AER1o4YNAq9fZY13sX52ynhBx9MW:7OWrrU7A4YNvG18XlL93

Score
8/10
evasionupx

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 11 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df98bf0787c847eda952aa050c47ec3d.exe
    "C:\Users\Admin\AppData\Local\Temp\df98bf0787c847eda952aa050c47ec3d.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\SysWOW64\net.exe
      net stop cryptsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop cryptsvc
        3⤵
          PID:2456
      • C:\Windows\SysWOW64\sc.exe
        sc config cryptsvc start= disabled
        2⤵
        • Launches sc.exe
        PID:3968
      • C:\Windows\SysWOW64\sc.exe
        sc delete cryptsvc
        2⤵
        • Launches sc.exe
        PID:4540
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Users\Admin\AppData\Local\Temp\1711470387.dat, ServerMain c:\users\admin\appdata\local\temp\df98bf0787c847eda952aa050c47ec3d.exe
        2⤵
        • Deletes itself
        • Loads dropped DLL
        PID:4088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1711470387.dat
      Filesize

      32KB

      MD5

      740b2961d5bd98d0ef28544eb0d62781

      SHA1

      94209f84f84d645c4dc73ba02b3bbb0b9c22ee91

      SHA256

      9f2413bfe9661dd59fb1574c9dcf9868abc5b432ff56c862b3f47f5cd41eb9ee

      SHA512

      fcd57e183903f99e0134182b4bad3a94256141869a7501cd63f702f9d1f85971818ca26ff71a584e4c432b4731c9630171664db82be62403a1ba9aa8d6e88e77

      Download Submit

    • memory/1432-0-0x0000000000400000-0x0000000000415000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1432-12-0x0000000000400000-0x0000000000415000-memory.dmp

      Filesize

      84KB

      Download