Overview

overview

8

Static

static

3

e6de332ad7...16.exe

windows7-x64

8

e6de332ad7...16.exe

windows10-2004-x64

8

Resubmissions

Analysis

  • max time kernel
    299s
  • max time network
    299s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe

  • Size

    223KB

  • MD5

    3955af54fbac1e43c945f447d92e4108

  • SHA1

    53c5552c3649619e4e8c6a907b94573f47130fa4

  • SHA256

    e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16

  • SHA512

    fa028a040a5f075296aebab7f63a59b6cbba32ee0964dfc08768396cc012ff5d861191e2478914d79d4a424c3bba110505a58b97376c44c716f0b1ea70551037

  • SSDEEP

    3072:tneBqhy5aVLOwqI8sgwoEHXfwaNUM+/ORSs5G2Ms4f6TFZbhgvbUxzJ8Y:tETlsgOfDt+/V6JQO98

Score
8/10
discoveryexecutionexploitpersistenceupx

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 13 IoCs
  • Suspicious use of SetThreadContext 14 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
    "C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\system32\takeown.exe
        takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2044
      • C:\Windows\system32\icacls.exe
        icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:5092
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\system32\sc.exe
        sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
        3⤵
        • Launches sc.exe
        PID:2032
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • Runs ping.exe
        PID:3392
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
      2⤵
      • Modifies data under HKEY_USERS
      PID:5048
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
      2⤵
      • Modifies data under HKEY_USERS
      PID:1304
  • C:\Program Files\Windows Media Player\wmpnetwk.exe
    "C:\Program Files\Windows Media Player\wmpnetwk.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:2388
  • C:\Program Files\Windows Media Player\wmixedwk.exe
    "C:\Program Files\Windows Media Player\wmixedwk.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        PID:2284
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        PID:4048
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:4944
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:4076
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:3596
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:1596
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:3172
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:2852
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:5112
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:4748
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:812
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:1732
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:2388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Media Player\background.jpg
    Filesize

    1.9MB

    MD5

    e37e46d9eb3834d3e8845166e1828568

    SHA1

    a875d07db50b10131a5c3675501de2d805e742a1

    SHA256

    9f8f9457950e10770f96239f3fbcc35239b3459456c992b51a80c50d257acb36

    SHA512

    7b95e1e861bece9b5cb7205b52edbe2230b883e76c8188c41107a116e987f122e80a5299c595a692127e42663fddedd27df9074f70b1836d6c305e855bce2021

    Download Submit

  • C:\Program Files\Windows Media Player\mpsvc.dll
    Filesize

    126KB

    MD5

    7b207ce9f9d71dfc2eaa2e959634a54d

    SHA1

    8222daa0c820e50d02ffabdc55dfb7461bbaa1e5

    SHA256

    757af7a540628004b446117be432342674f7830fa008f97a5f4a1ac386954bc2

    SHA512

    6ffbe6e33768e2fbea8c7cee428eb4b61e3eb1dd12e470de363f1d6e274296adabc8d1e681fe5a5f2b1dc8e8eb08bd360572bfd34706e82580c51be57f6fcf5a

    Download Submit

  • C:\Program Files\Windows Media Player\wmpnetwk.exe
    Filesize

    23KB

    MD5

    90b85ffbdeead1be861d59134ea985b0

    SHA1

    55e9859aa7dba87678e7c529b571fdf6b7181339

    SHA256

    ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2

    SHA512

    8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce

    Download Submit

  • C:\Windows\Temp\aad9f05a9a826b65ff2b94740ca196c2
    Filesize

    55KB

    MD5

    d39122bc111a1013fbaf9380fcc34ce8

    SHA1

    fb61a7dfe577a4eee6521f8ca524455dbc3ad189

    SHA256

    32666d8a3a86a99caf875c7d067b8573b56534e25da8c5dea3271b492ae0a78a

    SHA512

    806df4b5617252fec2ab4b4dc9415be4f9f09a3f362437f05ef9996895b343c63be4bb2575a72830e34310260dadbe2834dec372bf9c3d5ad0232902cf5ecf84

    Download Submit

  • C:\kkxqbh.bat
    Filesize

    135B

    MD5

    44a3af72a2e7efad7f05b5b264f2b133

    SHA1

    cfd7c8451a0c6e8123328b18f96bec50d04b50ab

    SHA256

    471ff503db8bd1d39701d587ec4f2d3c97c2843a53e812fe726c970f7306fbb4

    SHA512

    3d2009c7d4b82fd970ced78fe97b0d5ed08ca7a33480969deb5345195e50877e5efe8f80eeca86c63c5f87cc3779f7f9aba47eb1cca1c29656cb4f74bfd4e14a

    Download Submit

  • memory/1144-3-0x0000025CA9880000-0x0000025CA98AC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1144-0-0x00007FF989C10000-0x00007FF989C32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2284-80-0x0000000180000000-0x0000000180033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2284-75-0x0000000140000000-0x000000014011B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2284-79-0x0000000140000000-0x000000014011B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2284-90-0x000002D778E20000-0x000002D778ED6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2284-85-0x000002D778E00000-0x000002D778E1F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2284-84-0x0000000180000000-0x0000000180033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2284-83-0x0000000180000000-0x0000000180033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2284-74-0x0000000140000000-0x000000014011B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2284-78-0x0000000140000000-0x000000014011B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2284-76-0x0000000140000000-0x000000014011B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4900-68-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4900-71-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4900-70-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4900-67-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4900-66-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4900-65-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4900-64-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4900-63-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4900-62-0x0000000140000000-0x0000000140026000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4908-34-0x000001F961E00000-0x000001F961E10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4908-50-0x000001F966150000-0x000001F966158000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4908-18-0x000001F961B60000-0x000001F961B70000-memory.dmp

    Filesize

    64KB

    Download