Overview

overview

10

Static

static

10

9f5c5d4097...fa.exe

windows7-x64

9

9f5c5d4097...fa.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe

  • Size

    222KB

  • MD5

    9e1ec0ca9b461128a5c0f043edc9c003

  • SHA1

    0795139ad49e433c8e326a1741328505301759e9

  • SHA256

    9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa

  • SHA512

    d7dac235f3d8defc96480463f0d2d2566067d81ca27e92089c583ccf96cc36caeb55d5d0630dc423ed6770cb6847ec6635692b3426e9417a96e1197a316dca42

  • SSDEEP

    6144:C9npsuf052Nxy/f6E8MAUlKCEcg33wH9DnEPAFeEx:C9nSu0bWcdxn

Score
9/10
upx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe
    "C:\Users\Admin\AppData\Local\Temp\9f5c5d4097f49d5c861c5fcd99e48470819145eec064932f1d2f16448dedcdfa.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Users\Admin\AppData\Roaming\Microsoft\bin\dwm32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\bin\dwm32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\bin\dwm32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Users\Admin\AppData\Roaming\Microsoft\bin\dwm32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\bin\dwm32.exe"
        3⤵
        • Executes dropped EXE
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Microsoft\bin\dwm32.exe
    Filesize

    222KB

    MD5

    2632109bc42d1c5a7d5acfa805f8cca6

    SHA1

    885761d1890e907066bee2c8750b1e38ce1aac27

    SHA256

    2945bd473ca1347157be3a648a672a6a0b1be43626a562ba416aef7d8d4f3b82

    SHA512

    3ec4678c9ac4dca2c659873e38832e1a167e106464975803059b8a46ac4e98ad4bc72c20566f516e6c3d4bc469ff26577335912c5c27439ad4f66d2ff4d9a00e

    Download Submit

  • memory/2256-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2256-34-0x00000000037C0000-0x00000000037F9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2256-28-0x00000000037C0000-0x00000000037F9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2256-27-0x00000000037C0000-0x00000000037D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2256-36-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2628-38-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2628-39-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2732-45-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download