Overview

overview

8

Static

static

7

9df086ba18...0N.exe

windows7-x64

8

9df086ba18...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 09:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9df086ba1898d2c0c811a5fc2267f2e0N.exe

  • Size

    685KB

  • MD5

    9df086ba1898d2c0c811a5fc2267f2e0

  • SHA1

    b8a99b34be6604c2e78ef88e2aee175d802a70d3

  • SHA256

    9fd13df8486c02e33997bfa3c8821eb52f77a76d436e63d8e9e5372da641a465

  • SHA512

    3367151eb7ae66f41f1a70946cdcf92d146292badf840b7d7c2981d6f1ba6865920f320dfea46adf7418ff84c0c9e2b2a2bad500a137e046e0ec138f01edacb8

  • SSDEEP

    12288:7tKe6Zv23YLVFhBsC8iFHs+hsuQXIQVRpVnl3Bg5oiNIr2NOpzuwiKm:v6Zv2ivhBVnFvh5Q44+iisxpzE

Score
8/10
persistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9df086ba1898d2c0c811a5fc2267f2e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\9df086ba1898d2c0c811a5fc2267f2e0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies registry class
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\concp32.exe
    Filesize

    686KB

    MD5

    120b1a2b5b82f103204b4c7fae60ca9b

    SHA1

    f23d00b54db74f2850f8532e0210d66968c22e26

    SHA256

    39093a7c24b5eea7d0833b98fed72895be94a54a69ffebff7a0ddbee13ecfb08

    SHA512

    9f9985a8e0b367d4e2528a156b66c28b86d4924d9a5e87dbc9444a428b262293193c5458ac59521f0162976a35c4728e81efa1f0f44eaedc8e2c1866ea368bbc

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    688KB

    MD5

    558077bd583739407808ca3ca22d10de

    SHA1

    da674152318367efe3f9e671a3cead6f32f0f915

    SHA256

    9f28f2b61ed9fe6fd4af3338bfa42fe8bb6cd356fa701b21aa435842a47eec6d

    SHA512

    871a6490b33639e270b76b458721f042b1a1f19b9371ab5e4fa57d2729637d80dac7b529dd01aead6fe696650bb95866e5ce229886b3807ecaaa6a12cfd558b7

    Download Submit

  • memory/2176-15-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2176-16-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2204-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2204-14-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download