Overview

overview

7

Static

static

3

8c984e1a71...0N.exe

windows7-x64

7

8c984e1a71...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/08/2024, 09:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c984e1a71dde965ce148fd4d8d8ee80N.exe

  • Size

    84KB

  • MD5

    8c984e1a71dde965ce148fd4d8d8ee80

  • SHA1

    fad22a3467ec0919990b30ffc8ca9c38c5aa4b1a

  • SHA256

    a8576d89bb3df2b6b4efe6337a4427adf16843765c3df11796890c06fcbb2a0d

  • SHA512

    50f6623b87f01d406be27f75b3ff0fb9eb964562838e2accefd0779ac210167378c5b743cb4c2a4caecdca7aa9286e028de5ea223f404ba3a65c7573f9c4202e

  • SSDEEP

    1536:1clIGFNMi+hJUneHoGTvvv4V9hqdhbtgS:+RMi+fUnCTvvv4V9hEhbCS

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c984e1a71dde965ce148fd4d8d8ee80N.exe
    "C:\Users\Admin\AppData\Local\Temp\8c984e1a71dde965ce148fd4d8d8ee80N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Users\Admin\AppData\Local\Temp\8c984e1a71dde965ce148fd4d8d8ee80N.exe
      "C:\Users\Admin\AppData\Local\Temp\8c984e1a71dde965ce148fd4d8d8ee80N.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OBNVN.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\lsass.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:3556
      • C:\Users\Admin\AppData\Roaming\system\lsass.exe
        "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4500
        • C:\Users\Admin\AppData\Roaming\system\lsass.exe
          "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4328
        • C:\Users\Admin\AppData\Roaming\system\lsass.exe
          "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Users\Admin\AppData\Roaming\system\lsass.exe
            "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\cxz.exe
    Filesize

    314B

    MD5

    17c840663a9011d5868ccc5550a4a495

    SHA1

    800ebfaed48336b0f6df05304bab0009d0239e2b

    SHA256

    44267062edc55d677a2cdc546ae00697dfcb1274959a5583b526c350ffe63a21

    SHA512

    e9794dce1a18d12b915ca7046494b43a73427f389d08592b38ae934756abc0b77c4315f85c9ae63039ecad6f43117961098ccff6dee8781d36f3da33ca1d04c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OBNVN.txt
    Filesize

    146B

    MD5

    c8cba0a9d4d5600b5f53c4c0681d1115

    SHA1

    0e5348e210ca70b2b0ffdc3ff7e6f611716df80c

    SHA256

    ca2b63f6d7bf17480415ae93e115bf9f9699335e84e62719eefdbcc5a78bd2e1

    SHA512

    a2ad6eb5ae2f6d57ca15363ac2f0c57ca3580474e94b9c010750948814cf4d5ffa0c3e7ef44634a3593da23f56011703ff220a3d7780f6f01785bf3b6676ced0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\system\lsass.exe
    Filesize

    84KB

    MD5

    98755f554285f0fe3e8bc4cc6e3d5592

    SHA1

    91cbaa2720955c477ba45492342429496736e5e1

    SHA256

    cbe36653ff3e1ddf26e5fc5725314cdb5b602198817a0cfa72e62f505c448faa

    SHA512

    b950e59d6b631785b1794b9e40d0c2ab6a8ae7cee857cc7e76f1ed9328c1d77c80c9201739feffd35f2e9ab0c712873dd76fa36d5877affd75ae61c0361e3d45

    Download Submit

  • memory/1036-84-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1036-62-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1036-57-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2720-41-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2720-58-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2720-52-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2720-53-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2720-46-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4108-56-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4108-10-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4108-11-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4108-37-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4108-2-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4328-86-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4328-51-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4500-50-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4608-9-0x0000000002A30000-0x0000000002A31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-7-0x0000000002980000-0x0000000002981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-3-0x00000000020E0000-0x00000000020E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-4-0x0000000002100000-0x0000000002101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-8-0x0000000002A10000-0x0000000002A11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-5-0x0000000002110000-0x0000000002111000-memory.dmp

    Filesize

    4KB

    Download