Overview

overview

7

Static

static

3

0ea6d3a668...7c.exe

windows7-x64

7

0ea6d3a668...7c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 18:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0ea6d3a668fff9555b871918109bce14430a85aec0b81a9cb0de728af864287c.exe

  • Size

    84KB

  • MD5

    e16cf58ebf22132f7f2870fa2e17b94d

  • SHA1

    270b60ea1c9d6f37e608f211b8bf11aa7ee9653a

  • SHA256

    0ea6d3a668fff9555b871918109bce14430a85aec0b81a9cb0de728af864287c

  • SHA512

    2baa51d5b2aa35207b89a893361e18c41d514905fe05dc3ebe86d12d1747ce3f9ad23d73810be1a99c5e6e3bb893f09c5cf99e98f78de2e05b8f42a914847dcd

  • SSDEEP

    1536:1clIGFNMi+hJUneHoGTvvv4V9hqdhbtgS:+RMi+fUnCTvvv4V9hEhbCS

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ea6d3a668fff9555b871918109bce14430a85aec0b81a9cb0de728af864287c.exe
    "C:\Users\Admin\AppData\Local\Temp\0ea6d3a668fff9555b871918109bce14430a85aec0b81a9cb0de728af864287c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Local\Temp\0ea6d3a668fff9555b871918109bce14430a85aec0b81a9cb0de728af864287c.exe
      "C:\Users\Admin\AppData\Local\Temp\0ea6d3a668fff9555b871918109bce14430a85aec0b81a9cb0de728af864287c.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWJLG.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\lsass.exe" /f
          4⤵
          • Adds Run key to start application
          PID:1692
      • C:\Users\Admin\AppData\Roaming\system\lsass.exe
        "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:236
        • C:\Users\Admin\AppData\Roaming\system\lsass.exe
          "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2316
        • C:\Users\Admin\AppData\Roaming\system\lsass.exe
          "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Users\Admin\AppData\Roaming\system\lsass.exe
            "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
            5⤵
            • Executes dropped EXE
            • Modifies system certificate store
            PID:2984

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          dabf45c8b78905e365601097448040a6

          SHA1

          6d65e134b6d9009d999915d409d6d8b09d0a3c40

          SHA256

          47252f869edc69bf85cccbc6cfa8cd0de62ae477e6988c1cd6fbf6f55a8e61ce

          SHA512

          f03b7405627bde767db26f6e5cc33ea8c6ea54fd00dd49ce90a316cda2db97928e7b9a95e873c846a20c46ee7fca6452aa5b1d1588d2772790d649e06a93ba9a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CabA298.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TarA2BA.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WWJLG.bat
          Filesize

          146B

          MD5

          c8cba0a9d4d5600b5f53c4c0681d1115

          SHA1

          0e5348e210ca70b2b0ffdc3ff7e6f611716df80c

          SHA256

          ca2b63f6d7bf17480415ae93e115bf9f9699335e84e62719eefdbcc5a78bd2e1

          SHA512

          a2ad6eb5ae2f6d57ca15363ac2f0c57ca3580474e94b9c010750948814cf4d5ffa0c3e7ef44634a3593da23f56011703ff220a3d7780f6f01785bf3b6676ced0

          Download Submit

        • \Users\Admin\AppData\Roaming\system\lsass.exe
          Filesize

          84KB

          MD5

          f663e51b658769fb6489ca9d455b9ed7

          SHA1

          b52ca2a568a00d9540478ccadab07fa3d7f67110

          SHA256

          5245ee5afee537e849c3903da87c2221faca8d6f3c04c649a71f29d917a8bfcb

          SHA512

          c7b1509be4371038f431acc39cd3c9b6c0391cec8f7187f3fb44e49bfddf70a2953dfe635aa49f2dd63f51c75c46fd97156b3771d94e80c1a3794ef9a141f158

          Download Submit

        • memory/828-387-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/828-274-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/828-173-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/828-181-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/828-171-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/828-169-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2316-383-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2316-541-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2644-384-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

          Download

        • memory/2644-399-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

          Download

        • memory/2980-26-0x0000000000250000-0x0000000000251000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2980-2-0x0000000000230000-0x0000000000231000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2980-38-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2980-58-0x0000000000290000-0x0000000000291000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2980-68-0x00000000002A0000-0x00000000002A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2980-14-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2980-4-0x0000000000230000-0x0000000000231000-memory.dmp

          Filesize

          4KB

          Download