Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 21:36

General

  • Target

    48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe

  • Size

    423KB

  • MD5

    ad7cf66560e0c2c57ae299f8c727bf66

  • SHA1

    e160143b3037d72a551cfb02a0b98ce32f92dae4

  • SHA256

    48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9

  • SHA512

    ec3feb22cdd7bcada254123424e402e7ddc142b48b5b1b2ee11afdb6f7cc7276787542a6f4fa7e2cb53bef7c4d13ec6cb2b5aee476a4a954748ec5b49ce0fc71

  • SSDEEP

    6144:DP+PtrmEs7eVyYr9AmEcmI5qpYDb1MV+w1ILKcelS4:DP+Pt9sKVyY3EcmIopMbv1Ockd

Score
9/10
upx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 7 IoCs
  • Drops file in Drivers directory 60 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Blocklisted process makes network request 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 26 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe
    "C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1032
    • C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops autorun.inf file
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\AE 0124 BE.exe
        "C:\Windows\AE 0124 BE.exe"
        3⤵
        • Drops file in Drivers directory
        • Manipulates Digital Signatures
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Windows\SysWOW64\drivers\winlogon.exe
          "C:\Windows\System32\drivers\winlogon.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2540
      • C:\Windows\SysWOW64\drivers\winlogon.exe
        "C:\Windows\System32\drivers\winlogon.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2816
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2044
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2168
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000594" "00000000000003A8"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1628

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          800865fa09ef86890f878bdd0495d7ae

          SHA1

          6b3a9c136c54419b035f16d1f15e2cc41d9cd9ea

          SHA256

          da5ef5ad9c56cb2faa14a03eb1c87191ce0b1aaa4b84944d30888bfd780352c7

          SHA512

          82af688faaaab306c3b4e4daef6af39169c57c134af182c99a008d8480b8a43a59cdb750421ff7fceed1611d1d1206d90644de5b150b0b2e609a5db49a4161be

        • C:\Users\Admin\AppData\Local\Temp\CabE07.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar115C.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\Users\Admin\AppData\Local\Temp\TarE19.tmp

          Filesize

          171KB

          MD5

          9c0c641c06238516f27941aa1166d427

          SHA1

          64cd549fb8cf014fcd9312aa7a5b023847b6c977

          SHA256

          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

          SHA512

          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        • C:\Windows\AE 0124 BE.msi

          Filesize

          423KB

          MD5

          486f9620b2994ba36ef9902cf9753c22

          SHA1

          9bc137af24575692930bc1a5072f5190471a82e8

          SHA256

          9c2bac7144ebb4fff2ae479fcd2a40cbf57ef41e609af4f4b53be7f39b915d23

          SHA512

          dde4bcb0cd560bcf427c86e88f2e4e8eb0cdf1108e6b32d8228de9fef192f02906981c6f0572ecfc69929994b6f4f2d344bb8030ec8fcdd3686f7a1985beee9a

        • C:\Windows\Msvbvm60.dll

          Filesize

          1.3MB

          MD5

          5343a19c618bc515ceb1695586c6c137

          SHA1

          4dedae8cbde066f31c8e6b52c0baa3f8b1117742

          SHA256

          2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

          SHA512

          708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

        • \??\c:\B1uv3nth3x1.diz

          Filesize

          21B

          MD5

          9cceaa243c5d161e1ce41c7dad1903dd

          SHA1

          e3da72675df53fffa781d4377d1d62116eafb35b

          SHA256

          814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

          SHA512

          af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

        • \Windows\SysWOW64\drivers\winlogon.exe

          Filesize

          94KB

          MD5

          c9bbc3081799a8fecfa8360c8d0ba1a9

          SHA1

          956f852d525de269c36d356a73b43a42f839aba7

          SHA256

          1f13f61b6ab1621c02ba45ff6c5a0feb655a90226b05b0e2b5511d3a175a432f

          SHA512

          e62ba334df0c9921b7e9e8c79d1791a4e9c8f8181013bf46514b4b507d3092015d5626a4e1a9d1c62454deabcca6aad2a54cb311fe48c89bf73c93f29489a522

        • memory/2468-626-0x0000000004540000-0x000000000454B000-memory.dmp

          Filesize

          44KB

        • memory/2468-646-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2468-625-0x0000000004540000-0x000000000454B000-memory.dmp

          Filesize

          44KB

        • memory/2468-624-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2468-79-0x00000000030B0000-0x0000000003B6A000-memory.dmp

          Filesize

          10.7MB

        • memory/2468-645-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2468-318-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2468-111-0x0000000004540000-0x000000000454B000-memory.dmp

          Filesize

          44KB

        • memory/2748-112-0x0000000004420000-0x000000000442B000-memory.dmp

          Filesize

          44KB

        • memory/2748-623-0x00000000003E0000-0x00000000003EB000-memory.dmp

          Filesize

          44KB

        • memory/2748-627-0x0000000004420000-0x000000000442B000-memory.dmp

          Filesize

          44KB

        • memory/2748-74-0x00000000003E0000-0x00000000003EB000-memory.dmp

          Filesize

          44KB

        • memory/2748-78-0x00000000034B0000-0x0000000003F6A000-memory.dmp

          Filesize

          10.7MB

        • memory/2748-612-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2748-73-0x00000000003E0000-0x00000000003EB000-memory.dmp

          Filesize

          44KB

        • memory/2748-622-0x00000000003E0000-0x00000000003EB000-memory.dmp

          Filesize

          44KB

        • memory/2816-183-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2944-184-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2944-0-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2944-52-0x0000000003400000-0x000000000340B000-memory.dmp

          Filesize

          44KB

        • memory/2944-45-0x0000000003400000-0x000000000340B000-memory.dmp

          Filesize

          44KB

        • memory/2944-13-0x0000000003C40000-0x00000000046FA000-memory.dmp

          Filesize

          10.7MB