Overview

overview

8

Static

static

7

3b8c3fbe73...5b.exe

windows7-x64

8

3b8c3fbe73...5b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe

  • Size

    83KB

  • MD5

    96c7ee873c0d3d98ce5e8710f81d01c5

  • SHA1

    3c0f3ac31c87ef0a40cef7e413e1e4b7ee9219a1

  • SHA256

    3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b

  • SHA512

    16e32d923f86ba3b497c95c322b889ac4bf697a9eb6c8a627d38449fd5fa73a425555d841f32ffad1ddc77f2665dd42c9a3dba17a7a9cd60175647757dd324f9

  • SSDEEP

    1536:q4Gh0o4g0p3nouy8QbunMxVS3HgdoKjhLJh731xvsr:q4Gh0o4g05outQCMUyNjhLJh731xvsr

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • UPX packed file 48 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe
    "C:\Users\Admin\AppData\Local\Temp\3b8c3fbe73466b0efded1677be24f5aa3c9dae4f27663597f2d86927276b575b.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\{00103ABF-F23B-4436-B8B1-96C0BF601544}.exe
      C:\Windows\{00103ABF-F23B-4436-B8B1-96C0BF601544}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\{077694FF-0985-41b2-8B45-FCD74106969D}.exe
        C:\Windows\{077694FF-0985-41b2-8B45-FCD74106969D}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\{546D4FF9-A325-4699-B796-21C48FB9CC50}.exe
          C:\Windows\{546D4FF9-A325-4699-B796-21C48FB9CC50}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Windows\{E877D2C4-1C39-4212-835F-BA19E0D926DF}.exe
            C:\Windows\{E877D2C4-1C39-4212-835F-BA19E0D926DF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1708
            • C:\Windows\{97DE050E-D7A8-460d-B7D6-DDD46FCC7667}.exe
              C:\Windows\{97DE050E-D7A8-460d-B7D6-DDD46FCC7667}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2436
              • C:\Windows\{3225DD09-817C-4d4f-B98F-0E1DB881DF8B}.exe
                C:\Windows\{3225DD09-817C-4d4f-B98F-0E1DB881DF8B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1308
                • C:\Windows\{5FBFDD5F-F395-42c3-9857-5B157D611337}.exe
                  C:\Windows\{5FBFDD5F-F395-42c3-9857-5B157D611337}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1076
                  • C:\Windows\{EAD4943D-A603-4315-8D7E-204896A2DF1F}.exe
                    C:\Windows\{EAD4943D-A603-4315-8D7E-204896A2DF1F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2636
                    • C:\Windows\{05D1D63F-455C-4dae-9517-7425129AC077}.exe
                      C:\Windows\{05D1D63F-455C-4dae-9517-7425129AC077}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2268
                      • C:\Windows\{DD0665AE-E41E-4dcf-9B49-EB60A55EFAB3}.exe
                        C:\Windows\{DD0665AE-E41E-4dcf-9B49-EB60A55EFAB3}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:844
                        • C:\Windows\{21D447F6-A250-468b-A64B-5BAA25C148B0}.exe
                          C:\Windows\{21D447F6-A250-468b-A64B-5BAA25C148B0}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1712
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DD066~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1692
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{05D1D~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:800
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{EAD49~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1848
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{5FBFD~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2884
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{3225D~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1348
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{97DE0~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1932
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{E877D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1972
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{546D4~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{07769~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2828
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00103~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2808
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3B8C3F~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{00103ABF-F23B-4436-B8B1-96C0BF601544}.exe
    Filesize

    83KB

    MD5

    06c077dcedf43037195774c70e95e2ee

    SHA1

    3493178141d7604d9f63705d8a74d38dee614d6f

    SHA256

    eac59e15655eb82ec23b737bda519670cc0d599a9dd04705181da328e03df732

    SHA512

    8c5c7b38c527f311ac21ee251f10503a2daf6c8df80999ffca008a4ad52cdd937d895766de17b306a43be3a8ae4cff078a29912f21cf5490cc9c9fc949aaa1c6

    Download Submit

  • C:\Windows\{05D1D63F-455C-4dae-9517-7425129AC077}.exe
    Filesize

    83KB

    MD5

    c443088089a5bb6966d10da9d5ad88b0

    SHA1

    55e1583c8ad927aa93c6ffbb7e579a8c159325e6

    SHA256

    cb4a077f35e4572ba40ce6911b0a7aa3388ec174f62d12497166af83946ba397

    SHA512

    81f67af8471a75a26b1881b0ef49cdf651aac38ebc95d474527805a627353444dc13742c47ece298d313d5f25f0855ac648329ca1982d27d47672411e61c808b

    Download Submit

  • C:\Windows\{077694FF-0985-41b2-8B45-FCD74106969D}.exe
    Filesize

    83KB

    MD5

    bd91c5c66e5bf4270e640b383438a886

    SHA1

    eb9cf0be4abe9c6a46641babb6558dc57a765e94

    SHA256

    c6a031e5483e92a150505bdc403ec9542617c1394c7e25742b2923ee96258bad

    SHA512

    9e43a24eae7e53510ce0626687d93087a73a2b946d6fe9e5de3a63f3d3cab976cb3cc650aa2d435763e2b71e67609ad05c71370669808f707108ae229619c4ba

    Download Submit

  • C:\Windows\{21D447F6-A250-468b-A64B-5BAA25C148B0}.exe
    Filesize

    83KB

    MD5

    2781badb39c6e5af32dbac4307455d7e

    SHA1

    f52ca0da9457b7919693f5af0f07f68293bb2806

    SHA256

    5f2e4532001861c891a3569bd4be3946d5a64c8aade129d19df8c8aa0aaf9260

    SHA512

    023700dcce29e780e186d1e24b2f81fc26d02931be5ac2736f1dca89493c6ff18035e950c002eafb0a8637f278960466d4cacd3ab94775159f00f7aefdb0531f

    Download Submit

  • C:\Windows\{3225DD09-817C-4d4f-B98F-0E1DB881DF8B}.exe
    Filesize

    83KB

    MD5

    c0cb4f6612c79dbf3d358e5202c43de9

    SHA1

    7d1d8d594d70e1734701b9292655a86f426bc03e

    SHA256

    e33e918e2d0b3e5689e74ad1bdf9f0228f205427887a3e307bfeab9f474d3725

    SHA512

    adc891ae304aa80e84f165f2e58d8be23d27d30b6a2cc47eb39541a4d3cdb1d0b0332c78d7647db07f0119fa059a6722ec56c6896c84314a6b3d5c13bbba6cd6

    Download Submit

  • C:\Windows\{546D4FF9-A325-4699-B796-21C48FB9CC50}.exe
    Filesize

    83KB

    MD5

    9080c04ce9e3bf846691f5449c24ce25

    SHA1

    da9aecba5c9b67694008ed0eaaaf090adf557a3a

    SHA256

    13fe8d3a46b90047d1284d903df31ca4f2b8c29ed3e1dcc6e38e0ff1e2a5f832

    SHA512

    b973c48699e262906a168929830ddeb5c083dca94dd783eb97e83739bf2b3fe94819b5681b8ebf5c8886b9955b6a21089ec19f2b9f174c79148e7b4d4d483217

    Download Submit

  • C:\Windows\{5FBFDD5F-F395-42c3-9857-5B157D611337}.exe
    Filesize

    83KB

    MD5

    08dbc5ea1f456a156ebbcf8f5592983c

    SHA1

    764ae1d0c7076f6de8feb61cd0b0e34fa9e60d09

    SHA256

    160b1e21cf3c7a73d89745f72d4d38e27476423a1aa16bb41cf7c9a19bd2b0d8

    SHA512

    a18b3ce2fe7f76fad7661a2646970db5b2716a190a757386dc575b30b04ed61b425413015ba45b45371d77c538a4b46cd24f1da378c21bd09768f7e1aec8baff

    Download Submit

  • C:\Windows\{97DE050E-D7A8-460d-B7D6-DDD46FCC7667}.exe
    Filesize

    83KB

    MD5

    4b758ce83e257df490407036f7b2eda6

    SHA1

    391458f70747b114cf8b8500072cc3a50dd1634d

    SHA256

    b8af015596652f93eda6010783a21ee0c69ff056cca65b4f321242aea0bd67a7

    SHA512

    6765b6ae47332944fc501c92488645cc7bf0074a50cfcfec2e4d8794dcdf57734e389477b54cad9a18f5de3ec5bba61488f3b3c62f2be4143035172725a0e153

    Download Submit

  • C:\Windows\{DD0665AE-E41E-4dcf-9B49-EB60A55EFAB3}.exe
    Filesize

    83KB

    MD5

    681667e56a2c6f03ce965fbe751b1bc3

    SHA1

    fc5e38be7c296dbffa9dd83914beea5511506614

    SHA256

    3f26775afd0ec70f6a8ba898f79f8c8947df3905f9fad0b0eea6417afba83020

    SHA512

    21bffc05efab597017b0fbc802fc586980cd49beddb2bb1b5470baa25400b479403a3ade736eae8744d0a045ce33567fc869c02f57dc554ad3fc69b1b623cfdc

    Download Submit

  • C:\Windows\{E877D2C4-1C39-4212-835F-BA19E0D926DF}.exe
    Filesize

    83KB

    MD5

    14ba8df7fb5d43ba2d14c55049576ae9

    SHA1

    f5ec1fb6588ab673d17c04815c70e2ccb808e594

    SHA256

    ea9d7521e74e3198a31f338f415479b035b1660c4356e5b4208cd6f6bff855ac

    SHA512

    d1d7406f08e7f9d6cafc2b8d2d8c47f9b64d8e1238811d271a06aa44fa1ae488bda6b0cc06ff54ad3842b44b26a6d766f12e1ac8cd80203c082632a26730a669

    Download Submit

  • C:\Windows\{EAD4943D-A603-4315-8D7E-204896A2DF1F}.exe
    Filesize

    83KB

    MD5

    9403f78105c28651a98646e2d818f65d

    SHA1

    5910266a83f6ad8e25a1ad659358cf261fd2fd52

    SHA256

    68345644298e11495e857be4b9a8d7a5bc51718210df9fe3bef80a307f93bbc3

    SHA512

    13aa0379e23d483cb7ba6e7b78c471b419b829e8a0880c5d3c5dcbf939b799e8d63aa0488eb995f34ec75c39ccddcb98449694f23df452cd718a0860630c3f07

    Download Submit

  • memory/844-115-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/844-109-0x00000000003E0000-0x00000000003F3000-memory.dmp

    Filesize

    76KB

    Download

  • memory/844-106-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1076-77-0x0000000000420000-0x0000000000433000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1076-73-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1076-82-0x0000000000420000-0x0000000000433000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1076-83-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1308-72-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1308-67-0x0000000000270000-0x0000000000283000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1308-63-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1708-50-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1708-41-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1708-45-0x0000000000370000-0x0000000000383000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1708-49-0x0000000000370000-0x0000000000383000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1712-116-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2268-95-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2268-103-0x0000000000290000-0x00000000002A3000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2268-105-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2268-99-0x0000000000290000-0x00000000002A3000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2380-13-0x0000000000430000-0x0000000000443000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2380-10-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2380-18-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2436-56-0x0000000000290000-0x00000000002A3000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2436-52-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2436-62-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2436-53-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2524-4-0x00000000003E0000-0x00000000003F3000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2524-9-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2524-0-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2524-1-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2636-92-0x00000000003D0000-0x00000000003E3000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2636-93-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2636-88-0x00000000003D0000-0x00000000003E3000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2636-84-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2756-28-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2756-24-0x0000000000420000-0x0000000000433000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2756-20-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2792-40-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2792-38-0x0000000000370000-0x0000000000383000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2792-34-0x0000000000370000-0x0000000000383000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2792-30-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download