Overview

overview

10

Static

static

7

916df5e9c4...0N.exe

windows7-x64

10

916df5e9c4...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14-08-2024 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    916df5e9c463468ed689c6ed96c7c0f0N.exe

  • Size

    71KB

  • MD5

    916df5e9c463468ed689c6ed96c7c0f0

  • SHA1

    971a0aad4d6393196d4534e879fa60e6b46e847c

  • SHA256

    20da107131fe29bfe7f610ff65d463c5f09c1f868982892f21b1bf800cf843b0

  • SHA512

    6b2757760a4aa5fe3adeb6aa8b94e3c737bbd7a1526860c998c3dd477a2917c4a80934202963dcf444562b708039a658985d8cb22a8a19977cc78e4a27cdbb13

  • SSDEEP

    768:EXKeT2Si83nLt8tkGX8uxOHgRrW5YLKG9Y/HrSNm0kmG7xMsVAnc3yy85SBiLFMb:EFrmh0HgB3LKrL9AcnQFMc9zwR6i+BW

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\916df5e9c463468ed689c6ed96c7c0f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\916df5e9c463468ed689c6ed96c7c0f0N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2824
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2596
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2724
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2620
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2144
          • C:\Windows\SysWOW64\at.exe
            at 12:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1036
          • C:\Windows\SysWOW64\at.exe
            at 12:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\mrsys.exe
    Filesize

    71KB

    MD5

    64da393432ac3abfb577a6d2fcfd161d

    SHA1

    cafd1220318c53ba6437c2f3f4dcb1d28887c0e3

    SHA256

    0db4d0a88caa9f47c980e9ed22fbba804947e89ec54de0f656b24e132afb7e31

    SHA512

    fa19a43ef478acb8804ab1906db229922be7931d97ea5354fbf183b5616b03687f5b46ba061cd17c71734ede0c781640713eb41119e82edbaf9bc52f75c8887a

    Download Submit

  • C:\Windows\system\svchost.exe
    Filesize

    71KB

    MD5

    419b0fc5d46efd8e09f8b1328f568a6a

    SHA1

    8fdfda85bd77fceda7df18bdbfc5d6e5a6373915

    SHA256

    3a7eed0c235c81b05dc940cc15eccf4d5631dd0fab01814216e0632cdb781f59

    SHA512

    fc5dad72f3da511d8e5c68e4bf14846a85f15ec16ca1f5436ab4b6ab5e65fa7c88ccc46cc2b28f562dc94585cf809d56984ef5bdfd975ce97393cf133afb1417

    Download Submit

  • \Windows\system\explorer.exe
    Filesize

    71KB

    MD5

    af626fd1e06077d01403b9b872181ff1

    SHA1

    381eb52c00f245bfd28ff59bc3aed17dd6c5dcdd

    SHA256

    0bfbc88c659edcc7e634f22392ca2f9e3de8585969f8ae0368f0ed30f7d8a1d4

    SHA512

    60763aa5b57590ac83e9e77317daf25dd2e6f902ab80d77429fda6dd6814e2d9133ab60072846eee15498b6e33ff1b9381fba3699308f30b428b30f554cbbf5b

    Download Submit

  • \Windows\system\spoolsv.exe
    Filesize

    71KB

    MD5

    0f4eff15445ca2b84286f4675082b8b0

    SHA1

    9ec45ab1a0a877aa6ee53e222865e261a6cc0013

    SHA256

    230425fd3702d3e280ece3621f009485ba2762c06e7c9c2e9f7733b440144865

    SHA512

    8bd52a23f1993c519d64cb84211ba63c29f53a13db7a365e2abd92c3d1f7899107e329d02d208a76a4391a545aad12583e095b0afda1eaa6c23fd344efcdde5a

    Download Submit

  • memory/2144-52-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2144-55-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2596-74-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2596-63-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2620-42-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2620-64-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2620-67-0x0000000002570000-0x00000000025A5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2724-59-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2724-30-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2824-0-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2824-61-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2824-14-0x0000000002730000-0x0000000002765000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2824-13-0x0000000002730000-0x0000000002765000-memory.dmp

    Filesize

    212KB

    Download