Overview

overview

7

Static

static

3

636291e825...0N.exe

windows7-x64

7

636291e825...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    636291e825e2c97f44d9b8d10e4a1040N.exe

  • Size

    178KB

  • MD5

    636291e825e2c97f44d9b8d10e4a1040

  • SHA1

    664dc03a2bb2513bed3be89af34361f7f8ec0fd1

  • SHA256

    a1054c153e34258ae61feb974578bd3a674ee3296fed71fc1bfa15bb393eb5fb

  • SHA512

    d9f790ee655938bccff8ecea7fb4f11bfa1979782ab0dda075732fc7545a6020c86a8e6727696111a1c47a3cf69c6f63e4c2012f5821962c3157069b68083bdd

  • SSDEEP

    3072:Di7oIVHpkiOQdhY2wO+IMsx0UCHsqqRDZ71Xh7uYYytjoutxb:Di7oIVJkiBE28QnDBuytjoSt

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 33 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\636291e825e2c97f44d9b8d10e4a1040N.exe
    "C:\Users\Admin\AppData\Local\Temp\636291e825e2c97f44d9b8d10e4a1040N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Program Files (x86)\Tencent\qq\776F686578\AFKVY.zz
      "C:\Program Files (x86)\Tencent\qq\776F686578\AFKVY.zz" -z 423B5D51736E6673606C2147686D64722129793937285D55646F62646F755D70705D363637473739373436395D4256542F52495B
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2424
    • C:\Windows\SysWOW64\icsunattend.exe
      C:\Windows\system32\icsunattend.exe -EMBEDDING 423B5D51736E6673606C2147686D64722129793937285D55646F62646F755D70705D363637473739373436395D4256542F52495B 0
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:4716
  • C:\Users\Admin\AppData\Roaming 76F6865787.exe
    "C:\Users\Admin\AppData\Roaming 76F6865787.exe" -3 423B5D51736E6673606C2147686D64722129793937285D55646F62646F755D70705D363637473739373436395D4256542F52495B
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4164
    • C:\Windows\SysWOW64\instnm.exe
      C:\Windows\system32\instnm.exe -sys 423B5D51736E6673606C2147686D64722129793937285D55646F62646F755D70705D363637473739373436395D4256542F52495B 0
      2⤵
        PID:436
      • C:\Windows\SysWOW64\GameBarPresenceWriter.exe
        C:\Windows\system32\GameBarPresenceWriter.exe -sys 423B5D51736E6673606C2147686D64722129793937285D55646F62646F755D70705D363637473739373436395D4256542F52495B 0
        2⤵
        • Deletes itself
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3044

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Tencent\qq\776F686578\776F686578123.IMD
      Filesize

      179KB

      MD5

      5d15752e8014d32cccbaf4e3681dccd2

      SHA1

      68b73253d3f62069ac31b2d19a894bab17c4dc21

      SHA256

      8a088b00b5ba63b68b88e5a6707a2c63500371bae1d8258e809652388a42ea6e

      SHA512

      7084d3f4b5965e6d617948be65f6b0808f9bbd70044f158615aa3d4fa0309ded3710c5f00e80ce021d81ff71032651e904ead5855e68f1576f20d625bfe63789

      Download Submit

    • C:\Program Files (x86)\Tencent\qq\776F686578\AFKVY.zz
      Filesize

      178KB

      MD5

      520210d54c59f72e2e6d01949f42fd30

      SHA1

      409eb6db0d20f89526c09ad19382e385eccf3336

      SHA256

      e8584e6107f971990346aeabc8645e0f42da138b880bc8eae5da71fd0ac150ef

      SHA512

      00f8b53ba1412d51831f319cf627b3dc2d02964b4126b75068bc54796ee50db22292a26cd3f9045825aed55fff397572f554c6264c983701af8362987b67bc6d

      Download Submit

    • C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYmain.ini
      Filesize

      1KB

      MD5

      3b4885d7266e8aeeabc88315ef39b52e

      SHA1

      7e41af8837655422330c1d204970a41df175543c

      SHA256

      80e65c0922983c32412af8eafa30b518af7dd3888a3ebd5661668655bf4dad4b

      SHA512

      453ab13c4f0ff892795bc24702bac47717eb82b62dbbd9082ebc5687f558c54b5cf27af22b7c5a2e6b35f19633a0f17f883b2fb84082980c9fadff262b7e7b96

      Download Submit

    • C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYs1.ini
      Filesize

      10B

      MD5

      3626206fc26847ae2ee2a15984d17429

      SHA1

      9403636af40cc13f85c0143335c09d23bd0891d8

      SHA256

      142668b9617c4760acb77a2492f926267ca2545fd63d0c070b97b1d86a266cca

      SHA512

      a85f33ec25e1194478d305ffca1873637a30b4365c75d517a6fbe2782474342f318a0f523ce617de9464cf35988c8786d00685d2f5d720fa5c40f9286a37a1bf

      Download Submit

    • C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYs5.ini
      Filesize

      10B

      MD5

      fb9a6ac1d85521e2e6d4afb7b41e6735

      SHA1

      575f74d6557a73e7cc64b3b5552363dc26e14004

      SHA256

      b9a376e8b4fcba892b1c6bcf079116c8f9123d8ccce619f8ac515b60f784fef5

      SHA512

      4f2f0a6a157fe48f951bfb7d68d8bf450d6be685b9109dfc98096c2c251c67c69d2de36173770d2aea5dd0dbab8f8cd26008c8c6727c8ac632910444482edda7

      Download Submit

    • C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYss1.ini
      Filesize

      22B

      MD5

      77c001c62fb95d065e34ec25e5864fc0

      SHA1

      bd38b0eb0e33ab931fb0d356358b9c086f4997f0

      SHA256

      decfe4ed60f15089019fa10459c9541b270d767900078f420a4b07458d592c67

      SHA512

      ca610a3e18f92731108c6038212256be655fc86c6e5284cfc4484e987f436aa1b3922feb623ed04888a5e80576cbd1beb5cee3c6200ba3c17b303e4b12306f1a

      Download Submit

    • C:\Program Files (x86)\Tencent\qq\776F686578\CWU.SHZ
      Filesize

      109KB

      MD5

      00a51edfd6a21ef8bfaad17a05ee8776

      SHA1

      aebbadb726daf64e65127bbd024cc56dcf41aea6

      SHA256

      58dba017c96ef288d5ed3d46ce3d41a9e371933c355c515e4165e80acf564f58

      SHA512

      cacc2be13301d5570a5260b6fa91be23273b5b7db26b57c1ba955b1c74b60c9659aa81146f4f23c82983a96ffe69b161576a20de09937eae8f6833ccf608ca9d

      Download Submit

    • C:\Program Files (x86)\Tencent\qq\776F686578\ok.txt
      Filesize

      73B

      MD5

      37029adce7a780ace70f47e8ac2c82ed

      SHA1

      eb6e0a00f47e4aaa8b5311982209d6e3b9d9686c

      SHA256

      2a1fccd3b769fa80fd798f37b991c2f086732fbadf6d17c8f53f777987bd2993

      SHA512

      0c3f74ce22fe260e5732cc416973b4769f11ec10a2d050a34f0871ea8e53c012a15fa6b8723cb40946bfe762b4329e24a966f0abddfad0f5a9dc3adb6543fb99

      Download Submit

    • C:\Users\Admin\AppData\Roaming 76F6865787.exe
      Filesize

      179KB

      MD5

      9d69a12d9193d7fb558052a00caee041

      SHA1

      e315587ed7c2b46f8ae1fb5f994d7f8f776d595a

      SHA256

      c7b6b55e711b4ce65b3d8f433cf69bf14ae5505b4a5b38d0cae2f0fe5e8289e3

      SHA512

      5ee0dafb1400dcdc40452661e75a3d5db050df51e60457d9802acb1fa2484c3b581052de5b7d7d5a10b4ee84c39d62320356fad81df78f197ecaba1ce5bced94

      Download Submit

    • C:\Windows\SysWOW64\kernel64.dll
      Filesize

      625KB

      MD5

      eccf28d7e5ccec24119b88edd160f8f4

      SHA1

      98509587a3d37a20b56b50fd57f823a1691a034c

      SHA256

      820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

      SHA512

      c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

      Download Submit

    • memory/2424-103-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2424-100-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3044-291-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3044-216-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4164-173-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4164-290-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4716-124-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-122-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-289-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4716-212-0x00000000010E0000-0x00000000010E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4716-109-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-110-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-112-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-104-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4716-106-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4716-114-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-108-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4716-120-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-134-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-116-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-118-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-132-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-130-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-128-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4716-126-0x0000000000F70000-0x0000000000FC6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-24-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-28-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-18-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-3-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-20-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-26-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-0-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4808-22-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-34-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-30-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-35-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-36-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-32-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-4-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-6-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-259-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4808-8-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-17-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-10-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-14-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4808-12-0x0000000002190000-0x00000000021E6000-memory.dmp

      Filesize

      344KB

      Download