Overview

overview

8

Static

static

7

213da063c5...44.exe

windows7-x64

8

213da063c5...44.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    69s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    213da063c5a5f22d0c18497ba8cca63d1f0ca7509e763b8e6855f87316f56044.exe

  • Size

    232KB

  • MD5

    84f464203450725af1589106d18a9aba

  • SHA1

    20315f5e0d837425938881de6651c41869371d86

  • SHA256

    213da063c5a5f22d0c18497ba8cca63d1f0ca7509e763b8e6855f87316f56044

  • SHA512

    0620d98592b48fe641a62fd0026cc8aee2f9c1fc35400e9f5575f243543c2757ef3c0075ffa3616a0bffd16230e39adb271734f38db7d6dfa1cb02040aaefaf0

  • SSDEEP

    3072:p1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:ri/NjO5xbg/CSUFLTwMjs6oi/N+O7

Score
8/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\213da063c5a5f22d0c18497ba8cca63d1f0ca7509e763b8e6855f87316f56044.exe
    "C:\Users\Admin\AppData\Local\Temp\213da063c5a5f22d0c18497ba8cca63d1f0ca7509e763b8e6855f87316f56044.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2860
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2892
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2112
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2684
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1716
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8214d9ce5ba79503c8fe4d123c502ccf

    SHA1

    dc82e9d35b00034e201e1d55ff1a985b8b5f385c

    SHA256

    ccafd9f52471b0d0840db2e2ac54a2eed01ad0d3ec27c96e60db2c7e60e14998

    SHA512

    5f09dc99b6ddbdd75af60d04a55c56f9643a33a57f0dd7b36b2aa2c3400cc72fbf3be7a99ab6e7d609b5b88dea5bf004b12c1ceaebf8846b426dfed569e8bb47

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f22428f5da9031c0d4e501b96712fe23

    SHA1

    9356086bb98e447121083e1a7a15b0d393236e39

    SHA256

    8e2b774b497e36fa3ab674f57120fe329e6775c6e2d8f941d6d9cd263c957ae6

    SHA512

    321a741e4a75f6ae3c297b1596e29cbcd2257d1ed8f0c4c56ef1b9d91c169f8e2ab0265b640bfea11dddbb96a31da85c6aaf1a099baf28d4fe8c6ba2c8870f95

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4d7207163628198a75f551810638f750

    SHA1

    ca934befe97b513a43ce52ee9439bb62f0b45fc9

    SHA256

    e5977dd12a84202f474d5f16f291775a2ce8e2b32ddbaa88b1d67e8ee9d7f6ae

    SHA512

    49493fb59fb5d17f86a15ee120d65f5fff36aa5f3e0a306482cd955d6c5b49707283302ab7269086fea9a49a83dac9d55e0744d2b926909b5f4a715332a4b8bb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b55f0c2772f6b397b3f0cf99842826e3

    SHA1

    10fa82ee4029c330c9ea0056176c7369cf340046

    SHA256

    7a22e660c5f379a1e3ae1402377949e9ee93f6d9597e124cacdbb0764532a1e4

    SHA512

    32e2d42585fadb6fed30da98164c6c04613a6056be423510141a0c9c0205784a513c97e8cf4bf9defa429361347787e33364f9f9f05c0d2fc2e4dd29a433348e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fa075f237bf5e53ad49c4ffdd77f2d83

    SHA1

    89089f502f241bc9a8416fe977f46bd104b62280

    SHA256

    999740b8ea82f14c39f3223253e3388e01d5f9b3cad6978142af8d182ab9bfc1

    SHA512

    ab4b80bb7d245e2274a41f7c36dfbc978daf0d7141551f9798b9725e9f908437ad20701081b043981d96d7156999a434db76b53ecbfb35e4335da26ba095718c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ff415faef6e71584be0c976d37250d36

    SHA1

    5e2e509ebaf49d43fa079c67ca50c3ef6d6d8b81

    SHA256

    804d5763d5c399c5426794705c33aacf447f8cc779581f1baa460599044f16be

    SHA512

    49537cf988836611f55ce76a5cea69ed6b12eb724003d4679175a75e7cdae77aa7987ed7e119ce73c1aeee79042f708b822ecba672363452dbd2112f740cdc01

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    05e6122c2f18c44acbd0d913a8fa3ec3

    SHA1

    af4a828b477b945d7046a1aaaee1346bf3eb286c

    SHA256

    cbf4f2f33486c0641dd037c720454f9085f9e9e0f2607e55f07e235911265a0d

    SHA512

    c86f75a7d244f460d8ae7bdc69bcc741ebfa4579eb1c8d35a664d9fcf8dd96872e25899ae51a79a20c6e3ef0f93b28ecd58233ffd8dd5178f28e30a7d3602da6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8d0d6c0593ccc8c3fe254ee163d2763f

    SHA1

    957fd1dc36c3febd3d673ba3734fda41f2c47ce8

    SHA256

    53bbd35e2db13fc2ec82b5c153e510ea025aa6ab66d0b26620a6c59c35c6ffba

    SHA512

    3ed152272969e6d91cbbb4cc31c2db12a32d282ce71b9c29c11a28e24c64ba3c5ebde5947455debf49a6b5f780edb7eedfbfd4e6b768f3c226f3665f2272235f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    865713be27da90684425159d28a83265

    SHA1

    5070c8f40ce68a828ef37c1cfa9de985a7f798fc

    SHA256

    9f53f21f14bdd616711ddf2a02165239c293d7d4f57e2fa81397e19c21b37265

    SHA512

    4cbdc1228071ccb3ea87d80a4c0d323ab965d4664d69475039518d59e4f1d2b7f3a17000fa2e39982f2c847c1bfb1af4939d047ed25df89d62c3e6423ac573c7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    149b61bd9584d7a795e03951c25ffb41

    SHA1

    672140e59ab06708c1be6a7760cc7c74ab094b62

    SHA256

    da16d338fb6da8ae3b98652d5319bf4235d4988514d2ab601aeae0fd2613fe75

    SHA512

    bf51d19082b741feda092c1ee3802ae255cbce92ff95a9e315a84d190fd07172191d5a5f54a1143f901d2a014a8a867cdff0e0722e16788b79aed4a9bc157302

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a2b9b018022e36d657bbbf1f30feebd9

    SHA1

    03deb0aff5a232a405842a8b2126331dfa1b31ea

    SHA256

    2e033721a02771ce96944339a1563b3dd3e92ac6c2eee4334008e96291add700

    SHA512

    3850e51c5e855472422c596d2e72b6444f27d7ce70a9685b30f7946baf5b8bb16437273f3a21705698f3495b81b6b7221b8df38a451c92e805a932133473b110

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a4a8102a44cced56e5cbb51490d8606d

    SHA1

    a5c7e0186a99211ae2998666469f2dc0ed1ed291

    SHA256

    09fcc88f50c374029ca41287b690fe165a2f5c098598b5a7590a27ed2031c998

    SHA512

    25d1d993647bad147c31ee761350997ec2dfade0b18cb1542cfa3f51b6c656ee4d7da41e2e304eb295ffc8ab2c78514718510076cfb389f10ba42f5f495d7c73

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    307e44dfec5bd6e086fd02513ffa5ca5

    SHA1

    b68c7eefc0e54534392fb855e5670ae0d9ab3b1f

    SHA256

    67c861ce4c63babb89a4beea0341f1f717a2432e99b0b9f5fa2dd0e34cda8f04

    SHA512

    f5215b51e4fd91d9af49b03fe0b42b772058a688aac008d97fd80bff390ac46203506f5d2e612b4c6118a0b2ea575fffaa1ef22f0eb756d84c7343a629103c79

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1645aeef877082f22ec38f508f0eb3ae

    SHA1

    fe88a1cc4ec6db0b82541f231ffa21e205c0d250

    SHA256

    62ebb3e6ae84437e87dd2942da82dcb8f3583bcf73802190b869f9957365f9e1

    SHA512

    07af5e1a69868ba0d984ca1c3b41371ec8e4d247f268513d30b41661d47340b7284b33e36c5eee60ac992c30edde66b5b8e6ed6754f076f532278b355207c41c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    dc7ad36181c1ae6329010a507d9493f1

    SHA1

    5a31d88b023178e76204839f537973ced9c0d04f

    SHA256

    0876f34c96f1327df4633230de288deb2f8953436c2d38be8a6faa84279dc1ef

    SHA512

    c91e95664be2e799f8b34462bd19c3fe9f3aa694a84b797409fd40650d53ad18b308488b9535dcbc5a52205a754547a477a1f7f77db650502311e2680dd3749a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4ad5b999fc4543a0d9d3e171be58358e

    SHA1

    11eb7acd38df1f1fb726c0bdbd8e4001ffc0d739

    SHA256

    110f26f5333f74d555703e99d74e8fb17c93217c8c6f82066acf03eaccad4735

    SHA512

    76e307e14bb94ef5dc9b50c688a92039041296c7e2ccce6b9e6ff9c511f9d1ff6681c3d27e2689303c18b0b5e8b197f700787227ddbc002e671e4cb728df57e4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5e81751ace5ea80e3c5f01c59259f585

    SHA1

    dbfb77975a15797d03baefd943af8e12297cb544

    SHA256

    eb7a62af80e8a6c9f6322c59ae99b45d21d98eaec6ad88cf0710e3a92b694b13

    SHA512

    6ff5463c3584d63fe641f26b54370740d5d09544ef2d50abcf806840446a40f50146888a16a26a7c5db37fc4c31576a5f0a3210f997cdb04a91215dd7e17ae45

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    67c4684540831523f02d06d40ebd7661

    SHA1

    3ee3ac5a496caaa7baad83438280349823bc2ca8

    SHA256

    f2347e807ae737243ed9229a16a5aa0f53d309b05445aa981c5a62bd7f9e26c3

    SHA512

    4c5f267382701997aa0443b4f655fb0ff4a2e4e30e79ea0e7c6ff35f02b97660d0cada8800995a0f3b184c752a80bcfdf4d8dee1c84f1a3c0538003775b350b1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d9251511c06584f8eb9afad562e9b0e3

    SHA1

    3e80609359ab7db4b2700efc5818b4cf7b81aae3

    SHA256

    85bdaf91c5d94656470c78804f15764608fbcd2e6b2b2c5664cd94fe836bd586

    SHA512

    9be0108ca0450492b6ef75c3bf9cfa9601f1b64c6376987566a6e33b220b0b6142e8c1d618ba1418521088115d7fb737b28f2b7e8294ff8d37af5338a985d65e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab6E40.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar6F0E.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\WINDOWS\windows.exe
    Filesize

    232KB

    MD5

    5dba2b541d42dc9b7898a620452a48d8

    SHA1

    07e0a20f542302923dac7fcca5c4d66671c34dd5

    SHA256

    4a215c8d2b238ae570841649e0c9d62c1d291e9e0c2f7897500f669898a1525c

    SHA512

    d42f49fb20dcd32b73bf1ec2085f54cffc9c6afe2deceaaeae5406291e8c8264dda3269dc5d3539e458bddbe28efa41fa7e9670bb363a94703fc948ce1e82ad6

    Download Submit

  • C:\system.exe
    Filesize

    232KB

    MD5

    5f9a6241572df94185d61434d1d77dab

    SHA1

    fdd8de55827c68411e6391b6cc5236b523a191c6

    SHA256

    973a097525b5e2423ecfd80361ecd5c2436500044139aeb752102a3d53a100eb

    SHA512

    d9a43fb67d17a33293575616493a0ace3350a710a5d7216b348db6a429e03daddfca2124069edbe902e60bf7907aa391ed8a646f231d0ce73ba01a98c3c474e1

    Download Submit

  • memory/2552-0-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2552-444-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download