Analysis

  • max time kernel
    148s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    11/06/2024, 01:14

General

  • Target

    019a3cbf6e010648c95022f85d62f860.exe

  • Size

    88KB

  • MD5

    019a3cbf6e010648c95022f85d62f860

  • SHA1

    ad9b5306c6a4414eaf8deba1844f44385f851007

  • SHA256

    197cad7906f9104440c231c2ada1d29ee21bcd355b20ce743a241e55e229df9f

  • SHA512

    2c494e93ef603d0a0dea2e79ae8fe862b0f48d6297f54f992a45df93c2d92807e535bc7c1b1d03d431bd81a8c84ce88ef29428cb67f1e890f26571bba72f7a61

  • SSDEEP

    1536:ahUDofByDJWbMGcEFLPEPKOJUsy1+VMA:aIofBHbKMP0PvMA

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
    "C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
      "C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FTSEM.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1424
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f
          4⤵
          • Adds Run key to start application
          PID:2380
      • C:\Users\Admin\AppData\Roaming\config\explorer.exe
        "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Users\Admin\AppData\Roaming\config\explorer.exe
          "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1088
        • C:\Users\Admin\AppData\Roaming\config\explorer.exe
          "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1524
          • C:\Users\Admin\AppData\Roaming\config\explorer.exe
            "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
            5⤵
            • Executes dropped EXE
            PID:1860

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\FTSEM.bat

          Filesize

          149B

          MD5

          fc1798b7c7938454220fda837a76f354

          SHA1

          b232912930b2bc24ff18bf7ecd58f872bbe01ea0

          SHA256

          7f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8

          SHA512

          d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331

        • \Users\Admin\AppData\Roaming\config\explorer.exe

          Filesize

          88KB

          MD5

          ddea40eeb762234a5acd123260f719c1

          SHA1

          dab0c958bc6a206a323291a7d476a2a3438384f5

          SHA256

          5a0a705a463472d81586e46301c02b5d42d96e1f0e3a11fa8c888e0e4ef66db8

          SHA512

          ec3ea86e46d144a64969b9f46fb2f8bb347467d19794dec2ed75da18b1032b647add7921eb41c7d43f63dd206f8c5a590b834831bf6508c1419858c908bd9e5c

        • memory/992-85-0x0000000000470000-0x0000000000471000-memory.dmp

          Filesize

          4KB

        • memory/992-132-0x00000000023B0000-0x00000000023B1000-memory.dmp

          Filesize

          4KB

        • memory/992-87-0x0000000000490000-0x0000000000491000-memory.dmp

          Filesize

          4KB

        • memory/992-86-0x0000000000480000-0x0000000000481000-memory.dmp

          Filesize

          4KB

        • memory/992-2-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

        • memory/992-83-0x0000000000450000-0x0000000000451000-memory.dmp

          Filesize

          4KB

        • memory/992-82-0x0000000000430000-0x0000000000431000-memory.dmp

          Filesize

          4KB

        • memory/992-84-0x0000000000460000-0x0000000000461000-memory.dmp

          Filesize

          4KB

        • memory/992-89-0x00000000004B0000-0x00000000004B1000-memory.dmp

          Filesize

          4KB

        • memory/992-133-0x0000000002410000-0x0000000002411000-memory.dmp

          Filesize

          4KB

        • memory/992-88-0x00000000004A0000-0x00000000004A1000-memory.dmp

          Filesize

          4KB

        • memory/1088-338-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/1524-314-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

        • memory/1524-330-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

        • memory/2780-140-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2780-134-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2780-141-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2780-142-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2780-143-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2780-136-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2780-138-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2780-318-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB