Overview

overview

7

Static

static

3

d0f7e1b519...0N.exe

windows7-x64

7

d0f7e1b519...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0f7e1b5196772528ce410b695e2daa0N.exe

  • Size

    133KB

  • MD5

    d0f7e1b5196772528ce410b695e2daa0

  • SHA1

    80380bfc187b7327a99a605a44fc1d4a12984782

  • SHA256

    74be29a741738584dee133775ca5113c9e5a47ae604c1532e27b66890006cd05

  • SHA512

    dcb0687ceaef8d757c3c0217b97337aea9b725b1f1531e3dd216d76e16aabbaaf9bc0f681968645c85cf0ed29fde0a5139f668b82d1fd4139c62f732d2af49f9

  • SSDEEP

    3072:sEboFVlGAvwsgbpvYfMTc72L10fPsout6nnn:rBzsgbpvnTcyOPsoS6nnn

Score
7/10
discoveryupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 33 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0f7e1b5196772528ce410b695e2daa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0f7e1b5196772528ce410b695e2daa0N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F565840 0
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
  • C:\Windows\system32\cmd.exe
    cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F565840
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg
      "C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F565840
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F565840 0
        3⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\1D11C18123.IMD
    Filesize

    134KB

    MD5

    cfa91e43c6c7ffe348cf4c4aaf060508

    SHA1

    4cbd22e0a20b7cbfe4871baae2f28bae25736452

    SHA256

    994b05ddc3f92e8bb9e7ccea170ba399614949872a568ecc867fa36358f24b7f

    SHA512

    282f657b2f01a5b5800d6054a3981411e0afab08589020e0bc851ed0a384c0476fcce3c8caa9ad540ac2b123b3d4cb134297f8fe9ccdabddefe62fe31117b8f3

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIFss1.ini
    Filesize

    22B

    MD5

    930acf89790980bda3854f8bd8dc44d6

    SHA1

    4033478772bd5b31cdbf85187ad30eb03a560f33

    SHA256

    34158e7ba9674f6eb03866767791fb29663241342a304cbc1286bdaf049269a6

    SHA512

    87752859deee77287cf49d0f54f92dee94f49b2ef3c4fd76ee0b573f1cd73b3b9b472ce4f83e8ae11a8b71aa1c0a802c72b87f7fd940a6b3ddce4d85ab68b7b8

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\ok.txt
    Filesize

    73B

    MD5

    1fa8a1e774fda04c1037b5ff16fbaa72

    SHA1

    2d2e242030aefd54509567f3a6cc97b5a9004312

    SHA256

    43290fb5fbe00e8b82a356482ff5bb775ec82d157892dc8f0d516a7e841d4f7c

    SHA512

    30cff80ce20551180fe29f0b1a3dde623130b07ab8aa10fcd0ee47398b1e5a6b50fd0d2a92b0d933eb75e2c706c54dc570f2e5f1b39c3cae7c93df809a779159

    Download Submit

  • C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg
    Filesize

    133KB

    MD5

    1819ff4fcc22f30d1a78dfb35b3e3736

    SHA1

    aabf33f449eb4c7c36c50f1290b3f06fb383f5e6

    SHA256

    35c0e782c488495cd2af4b4e020b9fd7b1ab248626d8d11a8df35cc96c8574d1

    SHA512

    ad91c8c084e49f5e06be854e048aa1c1d17abdbbcf9f171dd735b368672b5f8436b5f6a71d9f7ac34653925143ed9d742ff4cefd456b932a569aa578ad5d8865

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\MSInfo\1D11C18\1D11C18123.IMD
    Filesize

    133KB

    MD5

    82913c79a27182155775509849a7247a

    SHA1

    6ff0c6a02b6f15e46b90dfe24d2983f78314eecf

    SHA256

    e5a252efab72b6b93512b46b5d6d31b1f05a8b12ae64a76ea0014a8633044db6

    SHA512

    d365439df87f9e376df15287898151e7b40d993b52c9c42d814c8122ef0ac9f58f10f310563b23731ff781488a5079f3fc248c6ef015654d5ad3d304a8e214ca

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\MSInfo\1D11C18\KVEIFmain.ini
    Filesize

    630B

    MD5

    8c2efd946e968edaa99f131d671b1934

    SHA1

    bb06de800844792da9945bced8a8cf64dcc4b8cd

    SHA256

    c74fe545a77cbdab491cd72934d22ac5bd37154e65e05fa8de7f2233cb334981

    SHA512

    180e616dc505ec5664c718760b6a9da3bc2ce01b2d63a0af8e5a5eab0350720710ce3aae4f83f5946b97cd8e15d5887fdbde8042cf8636adcdb900036939e243

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\MSInfo\1D11C18\KVEIFmain.ini
    Filesize

    1KB

    MD5

    c590414af5e2f2d94467aa1e27a920aa

    SHA1

    9ed94beef7f1d1f1766c1b789f5a4f865ecb5aef

    SHA256

    bcedc16c4d49b8289044b100ed150b6b0b73cb2889255cfecdafca7e4dfc82bd

    SHA512

    9fa0fa16d4c3f8f12ebd01d5581958cf9ad1db7424d5e252f283ba083e22113a8ca5d4d38ef1d58efe4f622f8302e22b80461328587c38337acec63c09d63590

    Download Submit

  • C:\Windows\SysWOW64\kernel64.dll
    Filesize

    625KB

    MD5

    eccf28d7e5ccec24119b88edd160f8f4

    SHA1

    98509587a3d37a20b56b50fd57f823a1691a034c

    SHA256

    820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

    SHA512

    c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

    Download Submit

  • C:\Windows\Web\606C646364636479.tmp
    Filesize

    108KB

    MD5

    f697e0c5c1d34f00d1700d6d549d4811

    SHA1

    f50a99377a7419185fc269bb4d12954ca42b8589

    SHA256

    1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

    SHA512

    d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

    Download Submit

  • memory/2784-128-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-124-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-242-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2784-122-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-116-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-118-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-120-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-130-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-126-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-103-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-104-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-108-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-110-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-96-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2784-99-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2784-101-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2784-100-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2784-106-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-114-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2784-112-0x00000000029E0000-0x0000000002A35000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-15-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-31-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-29-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-2-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-7-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-9-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-33-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-3-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-11-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-28-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-19-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-17-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-32-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-25-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-21-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-13-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-5-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/3196-23-0x00000000022C0000-0x0000000002315000-memory.dmp

    Filesize

    340KB

    Download

  • memory/4272-195-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4272-243-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download