Overview

overview

7

Static

static

7

a763906d44...0N.exe

windows7-x64

7

a763906d44...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a763906d44e5ea389189e1dba72b7ea0N.exe

  • Size

    72KB

  • MD5

    a763906d44e5ea389189e1dba72b7ea0

  • SHA1

    af6bcc5ee1dabd86be7113e8dfe8731a8d039a9c

  • SHA256

    87f878ca59e44316c88fc1ac09a595899c4717a415d5a5b8792a0e561d4e7f6f

  • SHA512

    9a8d3090d0b7934fca1a0be65de7ca5d50beb79fd9a257a6de2a0110ff8752335a4c82ac45ac587bb3d19d2dcd38a510cfa4acb88509bc488af7928a418c0a7f

  • SSDEEP

    1536:yMp8CyThXLmVyuV7GNKLkjP5zuSQxIF3+ftQSK5Rv7:yMuZTQISGCuPFF8Q3+Cv5RD

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a763906d44e5ea389189e1dba72b7ea0N.exe
    "C:\Users\Admin\AppData\Local\Temp\a763906d44e5ea389189e1dba72b7ea0N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Users\Admin\AppData\Local\Temp\Sysceamqhkqq.exe
      "C:\Users\Admin\AppData\Local\Temp\Sysceamqhkqq.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Sysceamqhkqq.exe
    Filesize

    72KB

    MD5

    4f9f8f8cf6cccdd63585c23b01711764

    SHA1

    aecc0f5b80ca9b08010b3b5a1e2d215a18ed5cca

    SHA256

    55e5adff354a6b5fffa29abe4ba144e88f778cb92772b27f64e0504c97dbc8e5

    SHA512

    2d9837bfe2f9c599d06989601b476b186a85c28beb734d170289d599a0d52fc892a80ddbb068254ae1146a61415712cd3382f8fd7ce20467f16cef991182cc4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cpath.ini
    Filesize

    71B

    MD5

    60a041b3716e4a91ca626326f776796c

    SHA1

    e6e029474a8c2c965c28181863cf8e59b36bc1a0

    SHA256

    039b95ac920e8519cbd91e852a52112ea5f6e7cc47b2dd23de6d5b4d7f44d3a8

    SHA512

    2d00d84a4fe4656d603e514a4b6d90150cd9b841b9ce15d5e7969071197ca65e515a8b88c5eb1f7b36ad200a9ea6b562afc48fcbd1bfe33c5263b84845c2f4ad

    Download Submit

  • memory/3644-42-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4188-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4188-41-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download