Overview

overview

8

Static

static

7

51c8aff678...0N.exe

windows7-x64

8

51c8aff678...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 05:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    51c8aff6789371daa06b69142d732dc0N.exe

  • Size

    232KB

  • MD5

    51c8aff6789371daa06b69142d732dc0

  • SHA1

    b092aff8831f665a490430006f759b8e45f67276

  • SHA256

    9a7f2f4d6ae5aa245a43c8339d7e93102e33ba07789bc4564f6126bd15a2976d

  • SHA512

    f66425e50eecae354029608ebebbb425c82ce410c4deaaae1c5befacd27abfa3fb7579f5b95158cf42d2e0ad5453b5d720c3d7307290f64926f6ab7344a08007

  • SSDEEP

    3072:A1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1Vne1i/NU82OMYcYU:ui/NjO5xbg/CSUFLTwMjs6wi/N+O7

Score
8/10
defense_evasionpersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\51c8aff6789371daa06b69142d732dc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c8aff6789371daa06b69142d732dc0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2656
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2700
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2600
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2808
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2496
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2624
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:1160
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • Views/modifies file attributes
        PID:1960

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          19b93f18f1bd721324473190b5028e3a

          SHA1

          2fe28d2702479c90b753bf1197452e6d7e9f8a87

          SHA256

          9e974c68c86fc807160e4eac40630ffca87cf41875aa5fd4db6b70df2cc42240

          SHA512

          34db1300a7574a18cc2d9937269de3375b393bf17ea49cd38396dbeaf0f58dd183a2bc1af520c0db42fbf730750e3f53d71707c6b61c214e642ec69585cd0e8e

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          65db78806205a58deebcd02f53b5ccce

          SHA1

          c5590198bc6d211a22bd4ef4e2938db792596ce6

          SHA256

          ce19c3497dae2f03989e0df0b066db7f9c059de835455f496511eb362d1ff412

          SHA512

          5426f4f53c2e797f152fd8aa169aa6c7149e715c732877c50f0847e0aa186bd10646e81560f5b402f87e3ba43082341cfcef4a62a023a6698dd6bb2738b58bb0

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          014dccb423281b39322fefe5d0036ca7

          SHA1

          03bfac9b0ba5400b461630fb37c828aa3cec011c

          SHA256

          f6ac4e7a6eb8247c813b089c8beb8f16e8a30f7f3dc1acf7a36520edcf495632

          SHA512

          f9d76a4dc01e46c4dbc219e6063699cabce41a9b2ffd8fe38b7988b0e7300dd615e2af727d894847b1d562fe57ab57de6951d1ed953d737b0e2fcda1da4666a2

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          033be34c79e68183f40371f209283769

          SHA1

          41e89d2bbaee5055c58d5f072db158e6e46598d1

          SHA256

          f22600b3a71821886baea88d210d38a3d69f0cf07274bea4178952283532aabc

          SHA512

          a0c9db56c30460401e025c64e960ba8aa89695efe1545d4d4b2bd633a38ef78fce0fdf8a304f7fc96f1980808bb71689c4515ffcc0131c481c8e8e63c8a65b3b

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          3348afa745e29e907c98168cb71b3824

          SHA1

          e18d2332964fdb34eaa5ed002930f404cfc094e2

          SHA256

          04d3a814efd2a590873eab1dde9d75dda064f4b5d9aee144f2bb2f301589ac8b

          SHA512

          7739adc823b5b987fc85d2754511d87682783bcb7a242fef57c3367f2ae64ce0b600c2a97feb0714ce6b01b4e7ab563d777174c5232c4e2e9b368e03c69290be

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          8db2ac2dff5a05e19d7291b575da1399

          SHA1

          38c64e4fef7ad76fc567501b7cbe48418982bc70

          SHA256

          a468789e71c11956bda2aa8bf0d0fe54829d3f4c9203889f78c68b7062742b4b

          SHA512

          a3204b60987609e1c1b4dc0127896f574abe04f1e7c78a96511f951e6544320c5d663cf588e0a4cc7e236e9787dd8b72fabe2d34e3e58c6750148ab4025cb50d

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          e486f3ac9b2ce2f632e5fe8a5b2e44ef

          SHA1

          4749796fe5b83d0a4a6455bbff9c83bf63122f32

          SHA256

          72c7c730774ea4120a7bda63c938019276a99670392e8024ef07fdd42182dcba

          SHA512

          ec6cfb06b35cd9575f0384477ed9fcec1b4da9a355666c7f6292015c97677023ac1d8b4f5a9c010f11216897cb6b79b11da435734761c7dec6b69a635442ce3d

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          b0efe91c3fec0136531d9f637b3349f7

          SHA1

          b9231318f900b686aa366f634206919a1dcf0567

          SHA256

          e3ca5980d59906d3eb9cbebea4c0e7179bf03ae93f0d648d077637ce1c761c5e

          SHA512

          880798e44820b771f59c9007ad42595e2f51850e1cd6a102b5a4cd356108732dcc1dc8178883ab34e3f987c1db4d93b4b5c7b6e5a8f2dc3f2344e8152dd07eb2

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          ad31a0c750d778511108fc3006024727

          SHA1

          b116a68d725dd881307298c810252c17d66801a5

          SHA256

          a38ccf076849a9be3ec41445e4b0df9bf7056641b1072b1eb67951f703d5dad1

          SHA512

          f8a9b2568658f06a47556d7f7a76823efe2c07a39375e497384e3671e55d8cd369d0a4d33bda3e189501259b82f986e244799fa43174e8be28619e5716f542b9

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          ab3fed398b615c5cae86ae76535d6707

          SHA1

          e7a43eac56b430ee7321793ea09dcdc760d972f1

          SHA256

          356b0d8fc5d57f7d4526510e13e100dcce956e8f4f20946876278a2cf6c6f046

          SHA512

          bf17cde23858fc94a728fae180b4bff30af2c5313f90ecadc76e84725931fd4e107a995a664bff5e8a58b1e70caa5c588d2b3e13c019604a52d71e88fdc55a4c

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          cd045e0ed3155daf66a1c4728f52ee7d

          SHA1

          ff0b493accc13065bfde80028460b3ec47c090e0

          SHA256

          b6b9cd8c38896f3c3b9045a1f1d4932456afc1feb2750c79465cd36e6d167720

          SHA512

          361c949d3f4b2286c7d0ea20192382d962192febf53dfe283e7d09bf52b2a14a9e16a4796b96a45e59266be3a2d708dd82f94fb9231ed15d208720e4b63c1c93

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          7c8b6b1dfaa6ce886d7dd0b327b29e03

          SHA1

          e418707b46b02375302d49e6b092d8ce5d35346c

          SHA256

          50a443e9e6906de80a6402371b2544fb418593d11a1623451cce2ecf804f0cab

          SHA512

          70cd5da2f4d7841c1f5799a968c238451092cb6b2e7c21ed62a459df8c9d926e656effd87c44a7b165220f674ab735a8309a12f9f905bd6130a3e5287b1189a9

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          1c3dca1d9b4f08c8e181ce05df1ca44f

          SHA1

          7fde798522dc4c7ecd58214ee92ec7e147fb404a

          SHA256

          cf3e9095d12e10392463d9cfe22e68dc16f3d30ea216a6d5c906834ec4fb1d58

          SHA512

          799fbbe6136e41123056bb2b6152fb73db2047350febfdf0733b204f1bdff35737c16b6efffe26803ed13d6194dd08b5e0872135ffcc0d76241f120f7a9640b7

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          71a7cf15ff0ac9c116c31973f9b06454

          SHA1

          bdcb8ed089f639dc37cb1ca22340120ab2ce2c0c

          SHA256

          2c1f6c4521910c95305cd1c5befef3031a16ebdfc47539b87e8ef808723e2264

          SHA512

          16324f281455dd52ef36a293c89e981004facaf1c2f79effc574fc61cdb464cad03d005578ee1a1e005c4bbf07418f9a6b82a7bac6ecb9ce346f610d9d3c0d65

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          6cba7e18abae87a9243ba02d530dd502

          SHA1

          e3ad9d92290be4d5da90ac9c7aa8a5069618675a

          SHA256

          5bbf785c288707bf04bf93ed79c3daf67520bdd583339b856107dfb47dbd9cd0

          SHA512

          49bb63eb067a068c5e0031f8c78b3d2bb87ac5f7d6c42056d692d1b30d0dec9fb4dbeca961c18c089c57fb558ff52dab76ca78da083bda9f2247840f56b733bc

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          47e78578d1d3301f1635ff80a86dfc55

          SHA1

          af5875d6caef62ee361f43096433e2069e349a2b

          SHA256

          8c92d8c2cf04b173216e4ebc1a9226c795df1814a941d633c5072ef49301c0ea

          SHA512

          4a9c47a58154b8f7fbd34e83b23a5a692c1cf3bcc8e4689ac264664856bacb4bd8fa139194e71dec8a425eeaee587c55cdbb35cf6dec490f255219c462c3cc49

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          74a83229495097b3c7ff68d211b42ee9

          SHA1

          ad7f083ab6fa27aef2df1c09178643ae48dedf53

          SHA256

          2ead70821884b06e40dbe2bbfa8d41b001f5940ec80912c852ed582079c85e58

          SHA512

          64db3601504682b759fc67d0daa68b6b023e4d16e6442848803dc4370ffbfdad0ffaa30cc90d3bde38b4a7e6a5ea1d9fe9320cd86f69487665072fa76c3f2eee

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          4d96a4a000697e5f2f0e648e2ee69b74

          SHA1

          f7d6c4357d84cfbc62b9f71dbfdb646a556c83fd

          SHA256

          621ad2487fefeea78dd3aa5e857cf8838f6681891ab70ff702b1f8a28c6d646c

          SHA512

          0e2c62c703ebee37ba84279d8711fdabd1cc97b6060a7862719c0bf12a15ad77a60a7d05f0e16f31ebcc7b87345659d6266dbe48a6bbfc348993c6dcc5af2cdd

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          1d514035cebb92f8d0934cf93907ebea

          SHA1

          cfc3819536aa5efa1f473b15729163f13252e173

          SHA256

          d84f05876ff2ae7c25b07098993dca84ae3a3ed52174ee59369bf9cdf3da4549

          SHA512

          90da84821e225e347cab0745b6671803f5f46858d266845c10140b7ed6c979b1c100a23b186b913ae6cba8f51a08b6a2dba7a1e1709f7b36f2b6ee005c6d7418

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cab785E.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar79F8.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\WINDOWS\windows.exe
          Filesize

          232KB

          MD5

          1f55f9467f803b2cb71a20cd915ff248

          SHA1

          67b93526d916cd152c8473661e839b09c08df288

          SHA256

          723a579d3d54e40c41189b242c956ab64fd157471ec85a7278b5e51014775b01

          SHA512

          3651e5eb45828f2fbbebc821f8c971c5508a1425b1ef8446cc124353a93387a9ca772c59c11d75e8bbc2d94a00d267c9106fc968e7aa7e61b4c6d775736f7a4f

          Download Submit

        • C:\system.exe
          Filesize

          232KB

          MD5

          c384c36f1b6f0a112eccbbfd90c2bac0

          SHA1

          e11321253a668df460fa01a56e4c98be957cf74c

          SHA256

          9647bd2ec68ed6cc22cc491533ba4f69a186e1d6f016aec7bd338b5207454918

          SHA512

          fc97532c6f8ed65a62ae0ab065965d0e777d30e75262b57da61411ca0236286bac0f249e800e4aecdf55cd4154d25d088ad211f23f74c6175a4f8b4cfbf326c1

          Download Submit

        • memory/2708-1-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2708-444-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download