Overview

overview

7

Static

static

7

8a5a047fc0...0N.exe

windows7-x64

7

8a5a047fc0...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    81s
  • max time network
    97s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2024, 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a5a047fc0d402d81c5e119941047400N.exe

  • Size

    111KB

  • MD5

    8a5a047fc0d402d81c5e119941047400

  • SHA1

    6448d8f68a01e5453e2567522adce715c67e1b41

  • SHA256

    eed05eb64668a28db2803b7f16a3cf1659293c2e7ecc2a219834bda950936d3f

  • SHA512

    580fc033946c6bce3573dde104d44c8890b44e47154acff31e1929f87a99530fe346b066ef13905e41e4db495f1b7a737871174dc847cb2e739b23043b6aa59d

  • SSDEEP

    1536:ELNIW39SaZTbFARlq7jC1OZstZu0TSVEdUJWTWd18fBq:ELlbZTZX3BAtTSVEdUJWTWd18fc

Score
7/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a5a047fc0d402d81c5e119941047400N.exe
    "C:\Users\Admin\AppData\Local\Temp\8a5a047fc0d402d81c5e119941047400N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\ProgramData\Graphics\guifx.exe
      "C:\ProgramData\Graphics\guifx.exe" /run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2308
    • C:\windows\SysWOW64\cmd.exe
      "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\8a5a047fc0d402d81c5e119941047400N.exe" >> NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\Graphics\guifx.exe
    Filesize

    111KB

    MD5

    4c7c33fdda416a8054c9ca23bf3fed9b

    SHA1

    ee9f5196ab8689781f6a9b20529d2d17a05fd288

    SHA256

    47df0d50f7b59518e1e12caa70bc7c426fcffc46a32d9c606994d75d09322b61

    SHA512

    27bfd7e40afb36f44e8e83ee29a4c6c7c029b8c01f70123252546ded231d0e67e7599261066fbea3d33540451c6dde25979760684a1b5a1f506f63cef1657ef6

    Download Submit

  • memory/1120-0-0x0000000000B70000-0x0000000000B8C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1120-4-0x00000000000F0000-0x000000000010C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1120-8-0x0000000000B70000-0x0000000000B8C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1120-9-0x00000000000F0000-0x000000000010C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1120-10-0x0000000000B70000-0x0000000000B8C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2308-7-0x0000000000250000-0x000000000026C000-memory.dmp

    Filesize

    112KB

    Download