Overview

overview

7

Static

static

7

abf6cc14f9...0N.exe

windows7-x64

7

abf6cc14f9...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    101s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 02:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    abf6cc14f90ac6004c13cfa261477be0N.exe

  • Size

    135KB

  • MD5

    abf6cc14f90ac6004c13cfa261477be0

  • SHA1

    e16e46ce71bc1cb23d883c7b872659d04aea924c

  • SHA256

    57d547dccd2ca59a4737dcf0e5df5411ec75fc0b5e40d9425f24044fbc1e6369

  • SHA512

    e1ab9719b41a1e6e7086376bb931c22a1726b982b418932ce209b601a6b7a2cae8a8d3c73ed36704d3a11ce378e80cf23f9feee4bf74ddbb35c9200afc2c9c88

  • SSDEEP

    1536:YGYU/W2/HG6QMauSV3ixJHABLrmhH7i9eNOOg00GqMIK7aGZh3SOe:YfU/WF6QMauSuiWNi9eNOl0007NZIOe

Score
7/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abf6cc14f90ac6004c13cfa261477be0N.exe
    "C:\Users\Admin\AppData\Local\Temp\abf6cc14f90ac6004c13cfa261477be0N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\ProgramData\Update\wuauclt.exe
      "C:\ProgramData\Update\wuauclt.exe" /run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2044
    • C:\windows\SysWOW64\cmd.exe
      "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\abf6cc14f90ac6004c13cfa261477be0N.exe" >> NUL
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2936

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Update\wuauclt.exe
          Filesize

          135KB

          MD5

          996c6edfc835359e31fb12de9c050d9e

          SHA1

          90b61c8baed65837e8367528c4e96bb73134f5bf

          SHA256

          51b873aef56143238ed816d664be6ca68d05ceef280607a6f3dfd0313dd8619e

          SHA512

          1d7b676407e1c81e8c39168f4c0efd5bf8a52ad8db9fad6c40410bbefb8e1dff3f2a3b66d673098769e0355f39a80a80d8a0bdf94911addc56a51eae1e28b093

          Download Submit

        • memory/1752-0-0x0000000000990000-0x00000000009B8000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1752-6-0x0000000000990000-0x00000000009B8000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1752-7-0x0000000000990000-0x00000000009B8000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2044-5-0x0000000000480000-0x00000000004A8000-memory.dmp

          Filesize

          160KB

          Download