Overview

overview

8

Static

static

7

31ce9a4555...32.exe

windows7-x64

8

31ce9a4555...32.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    01-09-2024 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31ce9a4555eec4a271d1f4f66b4481f7268d2fd033d03efbc9af88add3524d32.exe

  • Size

    232KB

  • MD5

    3b9a24122715895bca73202126c31e85

  • SHA1

    6a15d34fa9dc40e05b3fc16ad5a344414e2ccdb1

  • SHA256

    31ce9a4555eec4a271d1f4f66b4481f7268d2fd033d03efbc9af88add3524d32

  • SHA512

    d97d787f53c712e8bd9f30b2808588ff8a727b82b970cb82b88567a1c7fb9aeac7a0b6cf8cff2801062a312643f6dda94c477908f273e24be317b1fcb3a7b46e

  • SSDEEP

    3072:G1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:gi/NjO5xbg/CSUFLTwMjs6oi/N+O7

Score
8/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\31ce9a4555eec4a271d1f4f66b4481f7268d2fd033d03efbc9af88add3524d32.exe
    "C:\Users\Admin\AppData\Local\Temp\31ce9a4555eec4a271d1f4f66b4481f7268d2fd033d03efbc9af88add3524d32.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:916
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2752
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2724
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2876
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2812
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2704
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0623451682947b859c33e849f40512eb

    SHA1

    66d5fe5d30d526a2e3b0e10de2c6d635d4cf8121

    SHA256

    35c042ba1fa0f0648757fa9bfd7082b3243565fe49e792335ed9fbcf63e45342

    SHA512

    98964f7368a14d39e5c674b95e164c08ec7f7bb31e53abf8456f8e02a3d70d7b8a9d3c3cb385f8d8b3d4ccf928184588e2bb1bf1c7abf603a0c6748d92b8a26e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e8a6a301a4c31bae346c4a0fcd52db49

    SHA1

    a769c6ac7e5c0281d97ec6eddbd76668d19db104

    SHA256

    e32db234fb88d7479a6059c8471795c20cda3bcb018beee56c5705a31e0b68cf

    SHA512

    9745134fb3b61f0f5309259242fca86d9ab12bce65c03ef9a076ab48a7e9245a1d582a440e7cbd662b1c71a3d2b958c31b40f3a9a8509b66ebd502101be9d9d2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    16f4097585a8eef4ce3f16072020c37d

    SHA1

    03c6813e3e6cb9f0d9de930b64086fef3337be32

    SHA256

    470da1b7c7c6aa6c9bac7914df1a40bd82be27b20636c64fb157f5c4b10b9856

    SHA512

    b85cb89bdd37ff7f839075006853d23e12a2e0c84f0fdd69248644a8bfaaed8b2ea0916925cf7d7cb4fad64cd627cc1e5e4a6cda59b3525af6fe5d7544986047

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fbfec4e6a51217866df325d28f269e20

    SHA1

    cef63c80f062ace184e9f75306161eecbad358c3

    SHA256

    d1bbfd264784f2311d740712892dc7a98cff56e58ffda1285412b91c3114870d

    SHA512

    1c2f324bd2ccd42bba9489de0400a4c9854aa7ef36f4d05728025d88f473547a9cd353fc593319e661bb439d5513d855e1bc25ba42e1b313980dba8a0025d11f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7cd94fe16a582fa27643834dcf66baef

    SHA1

    bae107a12fe225a5b1121a27f06bc8d83fcad17c

    SHA256

    03992ce9f70608ad494a481eed251523fced0a109682c23c240174ca5b763f3c

    SHA512

    028ad5f74ecb8b63ecba11529e84cfcd6a7963b1bacf3b91be4507e7e70c76637e7f7419a527c7c6f6124db50e481af57f89b2ef0da4bc57ffdda8a50ff6c935

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    102a3154ceec67ba467be4342110f1e9

    SHA1

    67f7dcbc011916e59acac71c1119fcd11d732d72

    SHA256

    267a4fb83aa214d89b8b893ea10371cc324f90e4aae4f366c3642d6d4e20222c

    SHA512

    76b90f13c89ad2c4eb682c38258c156e14e0271751922dc6d70cf76688073cf035bef5c540411f6be7df007f93a360d7d5634dedb2fff79da86b4f9dfb7bd7a3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    71cc461f65a8b2e6eba8930005ec44e1

    SHA1

    70ac2ebb4955c9ee85f56a5068bca63fada9db8d

    SHA256

    46ee962382a2cf0be444aa13f5be0cee3a5677c7c9c5089e5d172db05d55ffcc

    SHA512

    d0f855048cbc68987dc3c945c562f4d70534618855e6f4178bb05862a49d25adca1dd57874b3295d7d89bbbcd1dc0e1a25e3dc148458aeb042fc5a03f69bcb3d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f97cb43b0e3051c5135140113339a641

    SHA1

    9bd02478c6fdaec2d0cd787417e2e2be6f190b81

    SHA256

    3fe695656c4da77b8b4a6fd6ebbb445464a594a9988df94be46221bcc46892a6

    SHA512

    8743e742132845aeaa2ff2699bf20241a5dc3da4e8f8dee8dd07ba36a76c96a29f427ab66c7242adba2c122fa19b56d12bfa3e3ebf01338e13f869d6d8e634ab

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    923159b9a0f611510f939c5b230077eb

    SHA1

    99f614690d7e8ea1b9f48262e44aecf669d43966

    SHA256

    c9405d688dabff5ce7fcd3a294a4b86b320964c9693349a9c0415d63448ac8d8

    SHA512

    d64de0be102c34ddc6dce75f432f6b71d86f26d75a10ff55cc0cdbfc699578dac79979d033eb9800a7df94381bc498b2e961ac8f434f0c47cc42d45fc9f60d25

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9db40fea0a4aad5495f402ecd4fae41f

    SHA1

    418786a866b1278bea745a26d648d9d440d25aef

    SHA256

    9431a5e08cbfc86a10d54b0d632981378167e5b8f11fb74ad72092af2860016b

    SHA512

    33f1c803a03c5a7e92583af72f3da4961420505bcc066b9bd2f6d965762a377fb6efb3ede7da3f83e0e6f0fd21bb6d802a4ade137372de93a84955de29b8c963

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    29608fc026e9667b2b236bba8b63e637

    SHA1

    1fbf94b8cfd466d160af2bec7fcc4d97bec3ed78

    SHA256

    308b652958b86d79ec48a9b6deb15bf322556cb22276a8e4a06f26559b22cd80

    SHA512

    ee36ebbdf4eb51e142ab6fd989994f5039525395e45e042e86bebd3ae1ee43c60588b2c1823f482d4a1fa38a78eca6f6574b0c5e3ab5ca204f2989b1d67c7e15

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b892b30c2625c46e4b0229cf39d485dc

    SHA1

    6890594cbd50d129c5547eb4496d9183624ee1cd

    SHA256

    ca27c0f32b52ab095cf633aed18bd4b451cacdf530b2f7b0492bbf44d8c04c28

    SHA512

    305182273362400258fe527bbf522b6bbd0103cabdb76338f79dfcfad08be3c2fbf00b386812a66a8bd5b722621822bceae04f3dfb7b4eca9e85816ff76256aa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9ae9b23fad45cca561dbda1c70923690

    SHA1

    92881e46934ab24c2a1b2add69c470e9f1faab55

    SHA256

    45c48e8bf4e2a18d8ec594d3f079478c95787e8ad2a628c3ca7296a82dcd8cbf

    SHA512

    153e68d9af349ae51a62c10bbb380ab0f0664e22b9f48c81d83622c76e3bd7362389c77fcd001b19549a02e2c05d36030c6945a63549f23dc95d290e74ba751b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2d8f7d25a0947ad6901deef817d85369

    SHA1

    98913e28b1498342c0a879280c222535e36abd22

    SHA256

    5880e14f3b38417c7a7ff1621a5e96428a0462d74a71c216ad5c2230923420e6

    SHA512

    6085ff042c33031783575b96f816b5ab3d4eca4334683f4abd629a6e5e72bf32bed073460422d386eaf752d868ad0f50d554c4d756f873cf8cedc50866246d3d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    749634f56a2f7e9ffbbdecd4db8f55d3

    SHA1

    7a3c863ff0254a6f021fb99664412e64b7baf2d0

    SHA256

    fc0658802b94d73642e3b9745bd6765c513266f42f5541a0a1706ec9f202a8b8

    SHA512

    a39447380f851e4193488b66e7a7cd4fe3ec02e6188a9dadb9ea09ac1be85b9891a2f1a78ab93e2ce0d823080ee8ea9765fbcbb5f93c81baffcf964265841e7c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a5be648c45b380b420ffabf19ed24c00

    SHA1

    9280685ee842950c0faba9ca874f51b84d9dca28

    SHA256

    9084d6e05da3fcbeae81f793ce6626a2116e35c7360ce412ca25f07995593172

    SHA512

    c8d532695b1352b179bd9958461dfda32e7fce5aac42fcd348fa72839ad68064dcbb1ddefde33e6b50902cebfc627da671b5b675fa0e5aee0a71b65855786677

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ed31a6cbf82dd53d68952fa39f68a9df

    SHA1

    8a8bd17fd6d31cb57f97d1e4bd7cbbcf95250326

    SHA256

    dea3cfd0a5e142bec54db9cf21baacfb9175cb0b8fcc40b543efbf2969dd476c

    SHA512

    616ff783219ac3c71d1a2d18073f57ba06c8ed9d42191dd4bc2b149c869fe75b97882dd435c2340839648cd0cd4d919dd898a3d0663bb5eb3d9a7eb933bfff01

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabEA14.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarEA84.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\WINDOWS\windows.exe
    Filesize

    232KB

    MD5

    6b21b8b9506090bc155c6b42aafc7e6b

    SHA1

    95d24006871fe508d6942675d65a29656173fd50

    SHA256

    236fc6fb6623dcbbdeedb3b1a9aeb2b2e099d16efc09e34e87a642af98519c07

    SHA512

    28884e634dff6a6f5eee35e91a9e7c075433d44e00917b24e30c7d12d06dd47402ae5ef32eec0157ecb6e417f44decc056ef58b2c168adea08713bc9690bc0ec

    Download Submit

  • C:\system.exe
    Filesize

    232KB

    MD5

    4f7ac27d348a2feb2370aa53a07f3023

    SHA1

    70442632c369e0bba54f3a3280719bf71ff1a092

    SHA256

    feeb1e25ed808e62759d1344e08f6ee4c159a4b5c981ecbeeeb9e84b5465886f

    SHA512

    c415e0a4823072557628e3f1b00719151dc790376a52ad9b68cbead84085f7adf83eb599f65402b6e1caa77f47119c9f2328feebe14116d2a1fa26e89d13f798

    Download Submit

  • memory/2404-16-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2404-0-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download