Overview

overview

8

Static

static

3

3955af54fb...08.exe

windows7-x64

8

3955af54fb...08.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 06:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3955af54fbac1e43c945f447d92e4108.exe

  • Size

    223KB

  • MD5

    3955af54fbac1e43c945f447d92e4108

  • SHA1

    53c5552c3649619e4e8c6a907b94573f47130fa4

  • SHA256

    e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16

  • SHA512

    fa028a040a5f075296aebab7f63a59b6cbba32ee0964dfc08768396cc012ff5d861191e2478914d79d4a424c3bba110505a58b97376c44c716f0b1ea70551037

  • SSDEEP

    3072:tneBqhy5aVLOwqI8sgwoEHXfwaNUM+/ORSs5G2Ms4f6TFZbhgvbUxzJ8Y:tETlsgOfDt+/V6JQO98

Score
8/10
discoveryexecutionexploitpersistenceupx

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3955af54fbac1e43c945f447d92e4108.exe
    "C:\Users\Admin\AppData\Local\Temp\3955af54fbac1e43c945f447d92e4108.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4544
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Windows\system32\takeown.exe
        takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1040
      • C:\Windows\system32\icacls.exe
        icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4680
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\system32\sc.exe
        sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
        3⤵
        • Launches sc.exe
        PID:3892
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • Runs ping.exe
        PID:2672
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
      2⤵
      • Modifies data under HKEY_USERS
      PID:2924
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
      2⤵
      • Modifies data under HKEY_USERS
      PID:4292
  • C:\Program Files\Windows Media Player\wmpnetwk.exe
    "C:\Program Files\Windows Media Player\wmpnetwk.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:2548
  • C:\Program Files\Windows Media Player\wmixedwk.exe
    "C:\Program Files\Windows Media Player\wmixedwk.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        PID:3600
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        PID:2624
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:3896
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:4384
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:5076
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:3512
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:5080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Media Player\background.jpg
    Filesize

    1.9MB

    MD5

    34ea36ccdbe3561c8a18531287f7ec25

    SHA1

    6f4ea2e33364ba240ec300df9fad3cd2f1f2169d

    SHA256

    b860cd996b43dde182b888e2bcf4ded392cd6f716d12e54f2046d8dc374835a0

    SHA512

    fdae3a3bf285fbd6c59c8e028f675bdbc040685b68b2dcc38a1e13484466873c3b4d312345df30667ed18c516a4e7d6724170fc1b0e3ddd6b8a6960f022ce1c8

    Download Submit

  • C:\Program Files\Windows Media Player\mpsvc.dll
    Filesize

    126KB

    MD5

    7b207ce9f9d71dfc2eaa2e959634a54d

    SHA1

    8222daa0c820e50d02ffabdc55dfb7461bbaa1e5

    SHA256

    757af7a540628004b446117be432342674f7830fa008f97a5f4a1ac386954bc2

    SHA512

    6ffbe6e33768e2fbea8c7cee428eb4b61e3eb1dd12e470de363f1d6e274296adabc8d1e681fe5a5f2b1dc8e8eb08bd360572bfd34706e82580c51be57f6fcf5a

    Download Submit

  • C:\Program Files\Windows Media Player\wmpnetwk.exe
    Filesize

    23KB

    MD5

    90b85ffbdeead1be861d59134ea985b0

    SHA1

    55e9859aa7dba87678e7c529b571fdf6b7181339

    SHA256

    ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2

    SHA512

    8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce

    Download Submit

  • C:\Windows\Temp\aad9f05a9a826b65ff2b94740ca196c2
    Filesize

    30KB

    MD5

    0a452463c6d740bfba448ba47bba6066

    SHA1

    36c436301a1ebf79f191700bf78acfaf8b99b687

    SHA256

    2ab4315d56a673acbbfccf2f3f942f49a1d7784ba6608028480e0098ba662711

    SHA512

    bb4be83433b15fa2da44fad84dfe794471bd6c9eb2fea806560ac57070da58930a5c0d27fc058eb7f600f8261a952f5dd7dcf6d298d5153fee351c2e2bd8c842

    Download Submit

  • C:\kkxqbh.bat
    Filesize

    103B

    MD5

    407ee4c8cec4efc5d384c9b1635aa192

    SHA1

    db5feb768a6dd658b1bc9935cef450d169adfa87

    SHA256

    2fa56fd9a211ac75e36db5f7d68707538594744f52a049cce128dbe9db24af61

    SHA512

    46e561b19030de153ffe166f199dd26e328fd93e2fe10624548d5cefb472dd01487d880415d1fdb01e7c482751651858bdcdc8869f919cbace6e38a8ec567149

    Download Submit

  • memory/1124-35-0x00000232D2B20000-0x00000232D2B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1124-19-0x00000232D2A20000-0x00000232D2A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1124-51-0x00000232D7010000-0x00000232D7018000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3600-82-0x0000000180000000-0x0000000180033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3600-75-0x0000000140000000-0x000000014011B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3600-89-0x000001A174EE0000-0x000001A174F96000-memory.dmp

    Filesize

    728KB

    Download

  • memory/3600-84-0x000001A1731D0000-0x000001A1731EF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3600-83-0x0000000180000000-0x0000000180033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3600-79-0x0000000180000000-0x0000000180033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3600-78-0x0000000140000000-0x000000014011B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3600-77-0x0000000140000000-0x000000014011B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3600-73-0x0000000140000000-0x000000014011B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3600-74-0x0000000140000000-0x000000014011B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4544-5-0x00007FF65EE40000-0x00007FF65EE7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4544-0-0x00007FF65EE4D000-0x00007FF65EE4F000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4544-3-0x000001E1BC130000-0x000001E1BC15C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4636-72-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4636-68-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4636-67-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4636-66-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4636-65-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4636-64-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4636-63-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4636-69-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4636-71-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download