Overview

overview

7

Static

static

7

5bf51f0773...d2.exe

windows7-x64

7

5bf51f0773...d2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-08-2024 21:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5bf51f07737d2ade121fffa2a77e4d582d3adeb68d39d1c4bdd8a247c51e0dd2.exe

  • Size

    176KB

  • MD5

    14d0ff15f0af156ac70bfe66d080aadb

  • SHA1

    9c372cdd1ee5925efb1828d399a05a0bc755db2f

  • SHA256

    5bf51f07737d2ade121fffa2a77e4d582d3adeb68d39d1c4bdd8a247c51e0dd2

  • SHA512

    1aa7a99b3d586ee0044df6a3d2d8b00b3fffdf35730d8661df6e0a3070db1d76396e10f690e40aa1d0f0b31443c99cb871f4f0491aa284c31fcccd895f679e8e

  • SSDEEP

    3072:H86wLHW98aGEbxeE5hf1jNi+FnA8PJi7K9tOa9txNoK/Gm52222222222222:lwK97FbwEFBxruKrOarxNP

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bf51f07737d2ade121fffa2a77e4d582d3adeb68d39d1c4bdd8a247c51e0dd2.exe
    "C:\Users\Admin\AppData\Local\Temp\5bf51f07737d2ade121fffa2a77e4d582d3adeb68d39d1c4bdd8a247c51e0dd2.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3720
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3148
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"
        3⤵
        • Executes dropped EXE
        PID:432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    176KB

    MD5

    aa8dd64caafd3283250b8c23b03fcc39

    SHA1

    c68ca0cfcd81f0df805d05ce05bf3870174d7713

    SHA256

    e6e5e16ef9418ab073bf833545e0bb3c9c9f6a866731aa48bf2328b982e949cc

    SHA512

    491b369bcd06a72ad13e71c04ad4b5d823d897a956fe661f69cd0f4e58f486709246df3c919d2330682f755225027d0a572959de17c3d2f6ad1bb8f26042c542

    Download Submit

  • memory/432-52-0x0000000000AE0000-0x0000000000B48000-memory.dmp

    Filesize

    416KB

    Download

  • memory/432-54-0x0000000000AE0000-0x0000000000B48000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3148-47-0x0000000000AE0000-0x0000000000B48000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3148-53-0x0000000000AE0000-0x0000000000B48000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3720-0-0x0000000000330000-0x0000000000398000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3720-49-0x0000000000330000-0x0000000000398000-memory.dmp

    Filesize

    416KB

    Download