Overview

overview

7

Static

static

7

cba91cac64...3d.exe

windows7-x64

7

cba91cac64...3d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2024 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cba91cac646c8fe660bdc05e00c86f8bba81b3537d066a9486606ae0c10ec43d.exe

  • Size

    1.7MB

  • MD5

    8dd3fd4a27b472774a09212729a12ddf

  • SHA1

    a70db8fd662af0d0a782e3e51347a1bffd575f9a

  • SHA256

    cba91cac646c8fe660bdc05e00c86f8bba81b3537d066a9486606ae0c10ec43d

  • SHA512

    3dbaaa2eafe05e13fc52f7edfb2b2f6dc6b48a96fbc2ec3f11f9456b8ab4f6052df87b7efd14e76416fa66a4109a88f1fedc63e4347e8f4b0d95a498e3f3bdfa

  • SSDEEP

    49152:PxzbHhzqnnzebckZRAvou/qY+SU4h5ozoL:5z9zYnzebPZRB8bt

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cba91cac646c8fe660bdc05e00c86f8bba81b3537d066a9486606ae0c10ec43d.exe
    "C:\Users\Admin\AppData\Local\Temp\cba91cac646c8fe660bdc05e00c86f8bba81b3537d066a9486606ae0c10ec43d.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3344
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c set
      2⤵
        PID:1208
      • C:\Users\Admin\AppData\Local\Temp\cba91cac646c8fe660bdc05e00c86f8bba81b3537d066a9486606ae0c10ec43d.exe
        PECMD**pecmd-cmd* PUTF -dd -skipb=1265152 -len=492837 "C:\Users\Admin\AppData\Local\Temp\~1695710514167693396.tmp",,C:\Users\Admin\AppData\Local\Temp\cba91cac646c8fe660bdc05e00c86f8bba81b3537d066a9486606ae0c10ec43d.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3536
      • C:\Users\Admin\AppData\Local\Temp\~1056080202764945986~\sg.tmp
        7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~1695710514167693396.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~2718645771486051551"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2264
      • C:\Users\Admin\AppData\Local\Temp\~2718645771486051551\NetDisabler_x64.exe
        "C:\Users\Admin\AppData\Local\Temp\~2718645771486051551\NetDisabler_x64.exe"
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1680
      • C:\Users\Admin\AppData\Local\Temp\cba91cac646c8fe660bdc05e00c86f8bba81b3537d066a9486606ae0c10ec43d.exe
        PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~3067720239341486932.cmd"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4204
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c "C:\Users\Admin\AppData\Local\Temp\~3067720239341486932.cmd"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1488
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:3420
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:2992
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:4604
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:5024

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~1056080202764945986~\sg.tmp
      Filesize

      1.1MB

      MD5

      8a36dcd25ae8543d26b0a99b7d48864a

      SHA1

      72581de60cedf59b1b932f6201bafc7cb02bb56e

      SHA256

      b3daf97e499467c6337b4320059ac44bc7a949dc4e500eb0d2f79f900a229531

      SHA512

      26eecfa81f6c94a89d1f9be0224a3f36309a5c43d658055f48e6e7ee2847c29bddf665f077381ee5b318201bc7658f6cfc36d248f64f51302622e5e949f147ef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~1695710514167693396.tmp
      Filesize

      481KB

      MD5

      8203110f0f8e95475077f3dabf2d347b

      SHA1

      b8976709e201833faa36aa6a201fa46a0e7270ab

      SHA256

      39303f708c1637460382f5a98f600969a05b3be7912b1dfd57277e296f5083a3

      SHA512

      7a0aeded7a7a025de5ab4a8082156b0715e5d36e9533551e03f3f9b160353eaf140c309901af87bfe3330b0fdb0155208a0deb2ba18599b2a752f2ec35e268cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~2718645771486051551\NetDisabler.ini
      Filesize

      1KB

      MD5

      067b0c6a9b2656adddbd020aa7899860

      SHA1

      6fed17a374eef4b3713b4148a56a668ade0dd12e

      SHA256

      08358a905a276a0e7f3b4d9fe9ade614c5319bec3041d44dc6192cdc35396d28

      SHA512

      1528f8664971dce93139308a79e92a084ccf6cb4b44fc5007cd42db986547eeec96eacdc6d089de7468021a1435e85b3def3486add92fd0571259496d53ba3cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~2718645771486051551\NetDisabler_x64.exe
      Filesize

      974KB

      MD5

      ff17545676191d398aa9670149003946

      SHA1

      47b2201b4cf88b9a9793cd06f60f31e51eff86a2

      SHA256

      8d8e8f2fa24575afa62fac4439fde19470d6a77a36b926599a25610fe5efed67

      SHA512

      8f5547aace60ab76a278a1747ee82baedb41b12054762eabd0cbd93f327c5f41787d7a153e061b9a916a298c0f17fceca90cf5d8dbc70560f01c34d3b8aee6d7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~3067720239341486932.cmd
      Filesize

      373B

      MD5

      cd1a0c0a8520e9d726a438a68b953d1a

      SHA1

      6fc8c202ed43c7b1e7fdd04aa074407e2ccd3fc9

      SHA256

      53d500026c58123c1dd0b32dc9daba3d8e9e918bac978c0ac9a347e3bd341bfe

      SHA512

      68081d02e99151a5af2a8f02a465da447e61f8fb6d7b694aa46c7b48a91b5392a2bea1f56d40b09f0c4632fd7d2b8952e878659e85e1833a783e51892a0a7a42

      Download Submit

    • memory/3344-0-0x0000000140000000-0x00000001401E9000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/3344-50-0x0000000140000000-0x00000001401E9000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/3536-7-0x0000000140000000-0x00000001401E9000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/3536-10-0x0000000140000000-0x00000001401E9000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4204-48-0x0000000140000000-0x00000001401E9000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4204-51-0x0000000140000000-0x00000001401E9000-memory.dmp

      Filesize

      1.9MB

      Download