Analysis

  • max time kernel
    28s
  • max time network
    30s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2024, 15:28

Errors

Reason
Machine shutdown

General

  • Target

    mara-fix_1.5/Eset Fix.exe

  • Size

    711KB

  • MD5

    5f45b1b2eee537288ab579ba2119a00e

  • SHA1

    b383a82af3b16b0a6259283a6d8dcba373412863

  • SHA256

    8e83308224a56c555b856e82d8e8296966f6339fa89877adf817b13f1ce9f53f

  • SHA512

    4b16bbc9831a6fbfdf6176bbf3f648e51aae82b597d1d5b7242d36789034f71067e87eadaf2a835320dfc4d18772d28ba47d784bc04282d137703bf08bd95068

  • SSDEEP

    12288:TnNhuBoY8SorxgmA+nlvVlkbw5F53Vo7lKZMItwdgcCYILEpshKVlZvFp8pzmSK1:TPatCg7EPibwHjo7lKq63cCEpshK9pas

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 15 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mara-fix_1.5\Eset Fix.exe
    "C:\Users\Admin\AppData\Local\Temp\mara-fix_1.5\Eset Fix.exe"
    1⤵
    • Sets service image path in registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4200
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config ekrn start= disabled
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\SysWOW64\sc.exe
        sc config ekrn start= disabled
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2452
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config ekrn start= auto
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\sc.exe
        sc config ekrn start= auto
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4764
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net start ekrn
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\net.exe
        net start ekrn
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start ekrn
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1728
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39bb055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\reset.exe

    Filesize

    348KB

    MD5

    2e5445a4c9e9a5d1168205aec44aeacf

    SHA1

    a73a1c1bf8416150249f6d829c1f465aba75aed2

    SHA256

    fe8fba8417fd77dac4a33fe4a1d661960144f94e8db505edac9f169cbe7dcddb

    SHA512

    f52c2c921f00514185d866fc70cbede7bd5e6543cab8c7cc772438f86485e3319617c0d359675de2e033d13c537e97ad6d5345aeb404c370e1519048b27691ad

  • memory/4200-0-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

  • memory/4200-17-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

  • memory/4200-18-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

  • memory/4200-20-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB