Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 22:42

General

  • Target

    27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe

  • Size

    95KB

  • MD5

    0d54674853ad3abd2edb0db06e5076d1

  • SHA1

    6f4b8e7a41fa7d7664d9de2aeb80f2fc5390f1da

  • SHA256

    27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc

  • SHA512

    4f13600e6de9f8b1ca9d7aea78cdc3d576a379d690d61460f89b21ee9fc06e368ac4b6d5c49d3dcc3b22645d06bbc25e581f95e838fc2fcb570cd63f24bd596f

  • SSDEEP

    1536:qfgLdQAQfcfymNvCaL72e/TUoyMVr/B1WbBnXTnF0ajVncmD5Altx:qftffjmNvVL7X9yMVLunF0w5a7

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe
        "C:\Users\Admin\AppData\Local\Temp\27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF9A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2076
          • C:\Users\Admin\AppData\Local\Temp\27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe
            "C:\Users\Admin\AppData\Local\Temp\27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\xx.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2544
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents" /f
                6⤵
                  PID:2960
                • C:\Windows\SysWOW64\reg.exe
                  reg restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents" xx.hiv
                  6⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3048
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1504
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2596
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3052

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          251KB

          MD5

          89e2bd6c320fa3ea7a9cb93138db5adc

          SHA1

          096cc798cdb1f0ac1c04efdc4e80c9e566dac4df

          SHA256

          7c4df69da64db61128ce40a9fb94f693457b6fc1291425df53a9c87365946ce7

          SHA512

          0876eed147f4583e97ea49218039e0f5d26846821cffb72006531771fa3e6af0dd3336b99c07460b6986531d1749fc3f9a2e492e0efdadc0d534dbd632fe331e

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          471KB

          MD5

          4cfdb20b04aa239d6f9e83084d5d0a77

          SHA1

          f22863e04cc1fd4435f785993ede165bd8245ac6

          SHA256

          30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

          SHA512

          35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        • C:\Users\Admin\AppData\Local\Temp\$$aF9A.bat
          Filesize

          721B

          MD5

          c02ef0a38774f4fd5f7379851372f268

          SHA1

          ca6f8c0034ab46983d9b521ccbb3b0cb4d6ac5c1

          SHA256

          a9091fdcf54c133bf0ef51af047afbca0e03f2e93cb90d2f18f0188a6a675458

          SHA512

          37947442b0f17ec667443cf04eb477d0bd43ccd80d682b9cca1799f842c5010a42fa42ee78d0ce6af3407e98d704eeb19316543d6f86c1ea28a09907184759aa

        • C:\Users\Admin\AppData\Local\Temp\27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe.exe
          Filesize

          68KB

          MD5

          f0d267d6025187615d0cd6e254531747

          SHA1

          8d668f9e872390cae5eb175e8e6058411e433a58

          SHA256

          a8973dff9599c80d51353bd1fbeb90d4c6778dcf6a50321d6d3a6b35a20b65b8

          SHA512

          864d8c2ce26774d6788e9302cb9048ba61c85a12cbfe493e495d61b3f1a94be82af1c25561e155e3be36c501fe0f2bde44f499d0c718d05e7fc5bf81eb2f901d

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xx.bat
          Filesize

          240B

          MD5

          eb4282dd6f7b3ec214906b1ddc202f8b

          SHA1

          3742a6d44a04538b4851b69f0a220c607a024c1d

          SHA256

          ae3da96838527c3113b60944a65289e96911447015f22415f29770934c041270

          SHA512

          560219077fa09a5a6e9c602f9ac9070fc5afb899d9aebed7ac7e4adfaa64259131bd495c62a952bfe488a99d604992fbf0233783b01f7371d15af0ed18d91c01

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xx.hiv
          Filesize

          8KB

          MD5

          84521630b87933732d1ecdbfcf1d0dc2

          SHA1

          09b455127e9dc913293d020301acd1996bb6081f

          SHA256

          386407ce1ee90ed9fbe642f44d5521818642b0ff2ecfae913b9f7229fc44e0c4

          SHA512

          e6b5ef8930cd28d8cf1adeac866ba0a4e37b3e6364377b71fcb394bbc6e3f086436913d175cf517c805705aa2f80607ee21f3a6ab7859376ef26da85e3178d1b

        • C:\Windows\Logo1_.exe
          Filesize

          26KB

          MD5

          32f77fdf4b3fc5c15a5f715d944ff394

          SHA1

          bc1d64e77162b209ed6993ebadfac5cafbd66a8c

          SHA256

          a383ab4b52d9be1be5bc1247306ec5161b36095640fd9d315842726eee61788c

          SHA512

          0c10c8a8b9e77abd1763003876667b59dec19362071659053bdf37cf1faa3efcc226bd51ac803e806938271d63193d0db70f818dc5ceddfd1252e0300650a419

        • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini
          Filesize

          9B

          MD5

          4f2460b507685f7d7bfe6393f335f1c9

          SHA1

          378d42f114b1515872e58de6662373af31ab8c7b

          SHA256

          47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42

          SHA512

          75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

        • memory/1204-38-0x0000000002D70000-0x0000000002D71000-memory.dmp
          Filesize

          4KB

        • memory/1504-3333-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

        • memory/1504-62-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

        • memory/1504-754-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

        • memory/1504-120-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

        • memory/1504-20-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

        • memory/1504-114-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

        • memory/1504-53-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

        • memory/1504-68-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

        • memory/1504-2094-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

        • memory/1504-1873-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

        • memory/2076-29-0x0000000000410000-0x000000000043C000-memory.dmp
          Filesize

          176KB

        • memory/2656-18-0x0000000000260000-0x0000000000294000-memory.dmp
          Filesize

          208KB

        • memory/2656-0-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

        • memory/2656-16-0x0000000000260000-0x0000000000294000-memory.dmp
          Filesize

          208KB

        • memory/2656-17-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

        • memory/2868-36-0x0000000000240000-0x000000000026C000-memory.dmp
          Filesize

          176KB

        • memory/2868-55-0x0000000000400000-0x000000000042C000-memory.dmp
          Filesize

          176KB

        • memory/2868-54-0x0000000000400000-0x000000000042C000-memory.dmp
          Filesize

          176KB

        • memory/2868-35-0x0000000000240000-0x000000000026C000-memory.dmp
          Filesize

          176KB

        • memory/2868-31-0x0000000000400000-0x000000000042C000-memory.dmp
          Filesize

          176KB