Overview

overview

8

Static

static

7

94754cefc0...0N.exe

windows7-x64

8

94754cefc0...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    93s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/09/2024, 07:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94754cefc063f4714ff41d4159837cf0N.exe

  • Size

    678KB

  • MD5

    94754cefc063f4714ff41d4159837cf0

  • SHA1

    0415810fd50ea45e09958389eec8823c469d5523

  • SHA256

    1f4ba905eea3da2b39b4a3effaeca8a737d325a474ac41bf5d81e70633916b2c

  • SHA512

    15c252a4d3fe8516e67a60c23659ddfbc35f06063e51cf2993c5777a41bd48923c6a16458af29aa11295e3aa43ca6327eb03926ef99484f9a431a4d0e4bfce08

  • SSDEEP

    12288:7tKe6Zv23YLVFhBsC8iFHs+hsuQXIQRUP/g8t55VGGWEs4UE0LP:v6Zv2ivhBVnFvh5Q44UP48eEDUE0LP

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94754cefc063f4714ff41d4159837cf0N.exe
    "C:\Users\Admin\AppData\Local\Temp\94754cefc063f4714ff41d4159837cf0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    PID:3824
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 756
      2⤵
      • Program crash
      PID:3916
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3824 -ip 3824
    1⤵
      PID:4108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\concp32.exe
      Filesize

      684KB

      MD5

      e7dbbd00ba2af9f595df884dbf4231a1

      SHA1

      14399fb98d2b7888e7b2e6d7d1191115c430432a

      SHA256

      e50fe692c1bee3acca18cf7e15e49b750cd417686c3036c6838360c6f44c8798

      SHA512

      d403c43114aa75646d202190896b8ff93d0711f0b3f4a48b379196682b965993d2f7cbe911d492d92a150174b3b6e6b7426d19971c7581af06d475b28012ee5d

      Download Submit

    • memory/3824-0-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

      Download

    • memory/3824-7-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

      Download