Overview

overview

7

Static

static

3

c692b403c3...f2.exe

windows7-x64

7

c692b403c3...f2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-09-2024 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c692b403c37b6e1627c1de6282e7244f8d22fe9422d0a98ed0e81b449486d5f2.exe

  • Size

    7.3MB

  • MD5

    c8684ee7ce9838120714f400b1a42021

  • SHA1

    9a294842f4d34b59cfb074f36f3a2c261592a20e

  • SHA256

    c692b403c37b6e1627c1de6282e7244f8d22fe9422d0a98ed0e81b449486d5f2

  • SHA512

    613ee146df8dc41e7d93fe7948749c888a3a29ce3b4fb37961eda04e207d27924d4a89ba7ee543331e1abdbf778cb14686f18c85f18ed7d49be64bc4b8702dc3

  • SSDEEP

    98304:qvu6o3Rsb0Bs9WZDPu1CESK2YwKRWi7VjlcQu:2sjmTRsQj1u

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {5B599019-CEC4-4D8A-A5AA-793DFE68DEE2} S-1-5-18:NT AUTHORITY\System:Service:
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Program Files\Windows Mail\XXEmulator.exe
        "C:\Program Files\Windows Mail\XXEmulator.exe" -svc
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2880
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs
      2⤵
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\system32\dllhost.exe
        C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1000
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1256
      • C:\Users\Admin\AppData\Local\Temp\c692b403c37b6e1627c1de6282e7244f8d22fe9422d0a98ed0e81b449486d5f2.exe
        "C:\Users\Admin\AppData\Local\Temp\c692b403c37b6e1627c1de6282e7244f8d22fe9422d0a98ed0e81b449486d5f2.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2904
      • C:\Users\Admin\AppData\Local\Temp\XXEmulator.exe
        "C:\Users\Admin\AppData\Local\Temp\XXEmulator.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2272
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -Install
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2276

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/860-46-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-75-0x0000000000050000-0x0000000000051000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1256-16-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1256-9-0x0000000003D60000-0x0000000003E0F000-memory.dmp

      Filesize

      700KB

      Download

    • memory/1256-8-0x0000000002490000-0x0000000002491000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1256-15-0x0000000002490000-0x0000000002491000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2272-22-0x0000000077910000-0x0000000077AB9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2272-28-0x0000000077911000-0x0000000077A12000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2272-18-0x0000000180000000-0x0000000180068000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2276-34-0x0000000077910000-0x0000000077AB9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2276-26-0x0000000000060000-0x0000000000061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2276-23-0x0000000000070000-0x00000000000D5000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2276-35-0x0000000077910000-0x0000000077AB9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2276-33-0x0000000077910000-0x0000000077AB9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2608-65-0x0000000077910000-0x0000000077AB9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2880-49-0x000007FEFB600000-0x000007FEFB61A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2880-40-0x0000000077910000-0x0000000077AB9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2904-14-0x0000000180000000-0x0000000180019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2904-17-0x0000000002880000-0x0000000002930000-memory.dmp

      Filesize

      704KB

      Download

    • memory/2904-3-0x0000000180000000-0x0000000180019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2904-6-0x0000000002880000-0x0000000002930000-memory.dmp

      Filesize

      704KB

      Download

    • memory/2904-4-0x0000000180000000-0x0000000180019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2904-0-0x0000000180000000-0x0000000180019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2904-7-0x0000000180000000-0x0000000180019000-memory.dmp

      Filesize

      100KB

      Download