Overview

overview

10

Static

static

7

265206b5c8...c3.exe

windows7-x64

10

265206b5c8...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06-07-2024 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    265206b5c880a8624fbf3c4c6e2338c3.exe

  • Size

    132KB

  • MD5

    265206b5c880a8624fbf3c4c6e2338c3

  • SHA1

    1aa7b549ee7bd215cd1efe10da57a7aabee8fc40

  • SHA256

    a0c66743d784ba640b1410e9535072074c4a9a6e835499da1d4a59e900dd4503

  • SHA512

    3a2c925c3a1f452a05a9c84c4c49f13298f4351d752d2062e1bbd4f8609024ec7ae181d38a4f13fe1f4138903042f56dd3babf1e53734062bea88809984c7b0e

  • SSDEEP

    1536:ZvcZCTbbxtbJypX2I3YU9oLmb1DYfQSxV2cPY7ROEYa9YreGQJdFuQ20:B9b7bJyp79GLvfQUV29ROER6GF20

Score
10/10
evasionexecutionpersistenceupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\265206b5c880a8624fbf3c4c6e2338c3.exe
    "C:\Users\Admin\AppData\Local\Temp\265206b5c880a8624fbf3c4c6e2338c3.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
          PID:2760
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        2⤵
        • Launches sc.exe
        PID:584
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          3⤵
            PID:2120
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          2⤵
          • Launches sc.exe
          PID:2384
        • C:\Users\Admin\AppData\Local\Temp\1tky.exe
          C:\Users\Admin\AppData\Local\Temp\1tky.exe
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Windows\SysWOW64\net.exe
            net.exe stop "Security Center"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:644
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Security Center"
              4⤵
                PID:1940
            • C:\Windows\SysWOW64\sc.exe
              sc config wscsvc start= DISABLED
              3⤵
              • Launches sc.exe
              PID:1964
            • C:\Windows\SysWOW64\net.exe
              net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2288
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                4⤵
                  PID:2744
              • C:\Windows\SysWOW64\sc.exe
                sc config SharedAccess start= DISABLED
                3⤵
                • Launches sc.exe
                PID:324
              • C:\Users\Admin\AppData\Local\Temp\1tky.exe
                C:\Users\Admin\AppData\Local\Temp\1tky.exe -dF1E2DB31DF187EA1CD3CCEE9B0F44DBEDB0475128AAB9307D0A080F6ED0A1D415528C1D6F18CF6965E2334AA383F8891B7B33DCF21570326DFEA304A3E4803A51A9916A0091A6CCBC2FFAF2ED2299978DEF4B3F9FC6CB740F5445D2A69826B1024702A0A3311BB256FD0DE8B9D582B4F559BC9E149032663A7884875AB2BA0179A828E38BD90FA381A2CA5C4F427265B61BBAFAE737D0B37C94272147F932BF1DEB7146E346A83A9B8E2227B76D4B21087FCD77A290A5E9970729C0EA5E7D43798ECCBCF642DEE137EFFB82DFE6F3A7F8D31F2B5581658C9F115C6BD18A9A44FAB1605FF5C9B15A4E0130795AB6C65367744F0E82B5373C4E25C32AA15EDE5BC3CDC53E867E411A2957EF1C1D8961EDB8A230334113566FB182061341AB31F26B1EB877113513B7A90DA96F9243E8C674A919B22B6C62C0EA7961460E4891CACAFF8B0C52C802BA8081857046B8C1AED7F456A1808C8FDCBE4284C396F78E4541B932169C184BB10708DD645C91C6FEB2BD661323341521F64394A27F866C12C19366AAD1D7F04F87E0FF28E9D6175CA94B4B0B3A396E59DFD378E27FD253B220F9F5CE4
                3⤵
                • Executes dropped EXE
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:916
                • C:\Windows\SysWOW64\net.exe
                  net.exe stop "Security Center"
                  4⤵
                    PID:2544
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Security Center"
                      5⤵
                        PID:776
                    • C:\Windows\SysWOW64\sc.exe
                      sc config wscsvc start= DISABLED
                      4⤵
                      • Launches sc.exe
                      PID:2852
                    • C:\Windows\SysWOW64\net.exe
                      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                      4⤵
                        PID:2660
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                          5⤵
                            PID:3032
                        • C:\Windows\SysWOW64\sc.exe
                          sc config SharedAccess start= DISABLED
                          4⤵
                          • Launches sc.exe
                          PID:1076
                      • C:\Users\Admin\AppData\Local\Temp\1tky.exe
                        C:\Users\Admin\AppData\Local\Temp\1tky.exe -d5B483CD65A9DB16EC8399BBC8DC9689BF52A62058EAFA531BCCCD5A31EF9772B017C16016C11A1C18BF6A33D888F4059121620D21A6CAE8B99AC572D5422A701FD7E7DCB2536AA0DCFF2B637B04BA2435F75DC96FC6DC6CE19AD7C16ED05BE3615422231736807A6E92FD78301D598F1C27DE7C2410FC6F2B397E8A6057765D24C46F74181B0308F6F5D451CB86B6AEE5F85D2D435CFC6821A8A790CFB10856CE9812DA4BECFDEC2355882CF54E4A2089CF56FC5667420E6444452D66B5B46A36F1E3432D7820AE2503B4FC78FF4084E1DB7CD85A1EA6D1166BED343328513CAA566BEB2B775ED4316E9AC3968BDA6F7C9883F25F287853DF55F9D0A6D8194CA8F7FBC158D1401A01BE2DCF31C56C415C35D5512A889822BA6E492D579C3B299723B5EB8C5FCFEC035095E30272CEC1070BCDF154E33BD896D2FD25AF29F9525D38415600DA1DD5E7868F5A647A0E611764CF082B272CFF9814DBFCAB7A0A81878F093DB5015D77C39C4A03378ADBB3FBA47D88BE09290DD5508F994E47A937E644BC90EBDDF669A0E7FA0DCF80EB5186078281227DC1A69A06F6101D60E3E27DE4EE850
                        3⤵
                        • Executes dropped EXE
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        PID:1720
                        • C:\Windows\SysWOW64\net.exe
                          net.exe stop "Security Center"
                          4⤵
                            PID:888
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop "Security Center"
                              5⤵
                                PID:1080
                            • C:\Windows\SysWOW64\sc.exe
                              sc config wscsvc start= DISABLED
                              4⤵
                              • Launches sc.exe
                              PID:2036
                            • C:\Windows\SysWOW64\net.exe
                              net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                              4⤵
                                PID:2448
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                                  5⤵
                                    PID:2932
                                • C:\Windows\SysWOW64\sc.exe
                                  sc config SharedAccess start= DISABLED
                                  4⤵
                                  • Launches sc.exe
                                  PID:2300
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c C:\Users\Admin\AppData\Local\Temp\iaohbksg.bat
                              2⤵
                              • Deletes itself
                              PID:2696

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\iaohbksg.bat
                            Filesize

                            190B

                            MD5

                            a27b761bd657ae1a50136baff475b0b2

                            SHA1

                            278827bb0eb5592885d8f235b2530867cfd55794

                            SHA256

                            ab9fa0b444224f00965deedc08cb3bbf64b149fe94fd7465182ac792ae62bc53

                            SHA512

                            db6997dcecc17be145535a7625c41352cd5a0b4fc34eec3a1e00083b9ec2375925a3ba0f269c7f0225abb3b54096454f2df356cf30ff76d3a72578c33ea70a40

                            Download Submit

                          • \Users\Admin\AppData\Local\Temp\1tky.exe
                            Filesize

                            132KB

                            MD5

                            265206b5c880a8624fbf3c4c6e2338c3

                            SHA1

                            1aa7b549ee7bd215cd1efe10da57a7aabee8fc40

                            SHA256

                            a0c66743d784ba640b1410e9535072074c4a9a6e835499da1d4a59e900dd4503

                            SHA512

                            3a2c925c3a1f452a05a9c84c4c49f13298f4351d752d2062e1bbd4f8609024ec7ae181d38a4f13fe1f4138903042f56dd3babf1e53734062bea88809984c7b0e

                            Download Submit

                          • memory/916-34-0x0000000000400000-0x0000000000429000-memory.dmp

                            Filesize

                            164KB

                            Download

                          • memory/916-31-0x0000000003970000-0x00000000049D2000-memory.dmp

                            Filesize

                            16.4MB

                            Download

                          • memory/916-33-0x0000000000400000-0x0000000000429000-memory.dmp

                            Filesize

                            164KB

                            Download

                          • memory/1720-45-0x0000000000400000-0x0000000000429000-memory.dmp

                            Filesize

                            164KB

                            Download

                          • memory/1720-44-0x0000000000400000-0x0000000000429000-memory.dmp

                            Filesize

                            164KB

                            Download

                          • memory/2224-3-0x0000000003AB0000-0x0000000004B12000-memory.dmp

                            Filesize

                            16.4MB

                            Download

                          • memory/2224-0-0x0000000000400000-0x0000000000429000-memory.dmp

                            Filesize

                            164KB

                            Download

                          • memory/2224-12-0x00000000027B0000-0x00000000027D9000-memory.dmp

                            Filesize

                            164KB

                            Download

                          • memory/2224-23-0x0000000000400000-0x0000000000429000-memory.dmp

                            Filesize

                            164KB

                            Download

                          • memory/2836-13-0x0000000000400000-0x0000000000429000-memory.dmp

                            Filesize

                            164KB

                            Download

                          • memory/2836-43-0x0000000002680000-0x00000000026A9000-memory.dmp

                            Filesize

                            164KB

                            Download

                          • memory/2836-32-0x0000000000400000-0x0000000000429000-memory.dmp

                            Filesize

                            164KB

                            Download

                          • memory/2836-24-0x0000000003930000-0x0000000004992000-memory.dmp

                            Filesize

                            16.4MB

                            Download