Overview

overview

7

Static

static

7

38339841c5...4N.exe

windows7-x64

7

38339841c5...4N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38339841c531017a7d9ab863247552b0475646bee71b0daf4a33f80ec4d02034N.exe

  • Size

    135KB

  • MD5

    39f7ab04b34db819a09a1d0e63dacbe0

  • SHA1

    6a5c7d8737f1775e0782c52cdc19397c3c63a10c

  • SHA256

    38339841c531017a7d9ab863247552b0475646bee71b0daf4a33f80ec4d02034

  • SHA512

    9263c5d8e9299fea669407bffe0e896c06bdad827e42a70867e84043209c6c5aa6582e71f379b2de982294f9a598d18b19846f90408cb80fb87d2e3cf92f9f94

  • SSDEEP

    1536:YGYU/W2/HG6QMauSV3ixJHABLrmhH7i9eNOOg00GqMIK7aGZh3SOW:YfU/WF6QMauSuiWNi9eNOl0007NZIOW

Score
7/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38339841c531017a7d9ab863247552b0475646bee71b0daf4a33f80ec4d02034N.exe
    "C:\Users\Admin\AppData\Local\Temp\38339841c531017a7d9ab863247552b0475646bee71b0daf4a33f80ec4d02034N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\ProgramData\Update\wuauclt.exe
      "C:\ProgramData\Update\wuauclt.exe" /run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2812
    • C:\windows\SysWOW64\cmd.exe
      "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\38339841c531017a7d9ab863247552b0475646bee71b0daf4a33f80ec4d02034N.exe" >> NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\Update\wuauclt.exe
    Filesize

    135KB

    MD5

    711c695a1e0bdafea9f50214d765a630

    SHA1

    80af834a956a6acb7cefc42a17b25e175027f5ab

    SHA256

    238bb13a7d7b48768d7a0ea5782f8e0395787ecfd31c380d818c07261a2719bd

    SHA512

    72e23eca9fc559f363acf11d974a3fc05c03267ff283c4a518228590f1c13c6aaa9105d5e2926a4eb51adf3f676bf82460cfec15cd5e018f6c374713495041c6

    Download Submit

  • memory/2788-0-0x00000000000C0000-0x00000000000E8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2788-6-0x0000000000080000-0x00000000000A8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2788-8-0x00000000000C0000-0x00000000000E8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2788-9-0x0000000000080000-0x00000000000A8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2788-11-0x00000000000C0000-0x00000000000E8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2812-7-0x0000000000F20000-0x0000000000F48000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2812-10-0x0000000000F20000-0x0000000000F48000-memory.dmp

    Filesize

    160KB

    Download