Overview

overview

7

Static

static

7

Main.exe

windows7-x64

7

Main.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Main.exe

  • Size

    9KB

  • MD5

    591b69583b5d480dfc37ebe5d4147da2

  • SHA1

    7f6f6a10809302ce31db85795a20fe35cc711246

  • SHA256

    57592287aa0d69231dc808146ebcfd18ffd25c18639df768b353380f32526e48

  • SHA512

    6004acc7286b951a490fc22ce347b4ab0e53e1af8d32bdbcd81118196a8c15a7a94df0d34cc00beb50d77b855d82085425ba516982de69da605ed3d7a0290b85

  • SSDEEP

    192:XPWZn7j7S9g1/gINyzRhLSqFaNJhLkwcud2DH9VwGfct1zO:OZnzS9gtyzn3aNJawcudoD7Uu

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Main.exe
    "C:\Users\Admin\AppData\Local\Temp\Main.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3720
    • C:\Users\Admin\AppData\Local\Temp\398E.tmp\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\398E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\398E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\Main.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\39EC.tmp\batchfile.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:216

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\398E.tmp\b2e.exe
      Filesize

      13KB

      MD5

      5ef49f0bbb9a43a0865635d0105d82e3

      SHA1

      02c52286bd9df5b7ba340f3ba531bc835483118e

      SHA256

      da026fd7e3318b65d9d418d3c896251ccdfa12949bc2bf8ad655b2cf8c96c32c

      SHA512

      17e5b4ce0cf027ef44b98ea6801e399d437f03e46aafbb40491922d3bbfdfbb08dcb823ba8ea29883333e6fdb0ad3083de5ff6610fbb55558b5b9ff0ce3019c9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\39EC.tmp\batchfile.bat
      Filesize

      4KB

      MD5

      34fa12cee845d7ded3763362877a2fcd

      SHA1

      015b75f28494865d401f13bdba021ccb03295a0b

      SHA256

      76bfca848e6aae6326c0d2cb58ce10caec84951b344733e5bb5d736efafdbd19

      SHA512

      d0f1fea8431b89834e74ea02f4917e9985a7c87e586832fb69ed17189ff28e18648b20e2c4e6b2d6b45c4f2432b12937625dca9feadd8ada70d566dcdc3690d2

      Download Submit

    • memory/1368-8-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

      Download

    • memory/1368-15-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

      Download

    • memory/3720-0-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3720-11-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download