Overview

overview

7

Static

static

7

65483353bf...0N.exe

windows7-x64

7

65483353bf...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    31s
  • max time network
    24s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2024 11:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65483353bf8c9791c9c82f8585459160N.exe

  • Size

    135KB

  • MD5

    65483353bf8c9791c9c82f8585459160

  • SHA1

    2dc8cbd14afad5cc5976fcb4053e7363be7950e7

  • SHA256

    48233756b5944f436a0a9b4e245d6234dc7596b1e40ba1644fb6f035b2169a5a

  • SHA512

    31a1735ac89701fa92f8713ce1d7b73e6f22130c3f9f8714050f2e870e65498431b8aab42c54965b9f017015c9893010940ea36233a76658b3c221eb423f900e

  • SSDEEP

    1536:YGYU/W2/HG6QMauSV3ixJHABLrmhH7i9eNOOg00GqMIK7aGZh3SOl:YfU/WF6QMauSuiWNi9eNOl0007NZIOl

Score
7/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65483353bf8c9791c9c82f8585459160N.exe
    "C:\Users\Admin\AppData\Local\Temp\65483353bf8c9791c9c82f8585459160N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\ProgramData\Update\wuauclt.exe
      "C:\ProgramData\Update\wuauclt.exe" /run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2824
    • C:\windows\SysWOW64\cmd.exe
      "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\65483353bf8c9791c9c82f8585459160N.exe" >> NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\Update\wuauclt.exe
    Filesize

    135KB

    MD5

    facbb0c7e90e649d01a800a2a4e38ca8

    SHA1

    fa95587e62bae0a07c071237e59f0a7005b3eff6

    SHA256

    911817622c9239c8661f50f835994f86381a2b8bc817fa3bd8897c4cb65efddc

    SHA512

    534b2d68c4ce2cded1d1dbaad94d9b939e4895f00255e43e8c4d5d62e3216ef112a3644d95ede5b6db187e1e4b30aefcdef0d149014f8ca5ca6a60838f70e1f2

    Download Submit

  • memory/2732-0-0x0000000000A70000-0x0000000000A98000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2732-5-0x0000000000120000-0x0000000000148000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2732-8-0x0000000000A70000-0x0000000000A98000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2732-9-0x0000000000120000-0x0000000000148000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2732-11-0x0000000000A70000-0x0000000000A98000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2824-7-0x0000000000B90000-0x0000000000BB8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2824-10-0x0000000000B90000-0x0000000000BB8000-memory.dmp

    Filesize

    160KB

    Download