Overview

overview

10

Static

static

7

e94445dfe1...0N.exe

windows7-x64

10

e94445dfe1...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 09:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e94445dfe14fe3ff694fef9b36ea567524543da4db509aac91647c90dae389b0N.exe

  • Size

    345KB

  • MD5

    6aaaebbf05930b0718d8b29a30917b90

  • SHA1

    fe738dbcf7fc1aa0c67b8e11e630039175c636d9

  • SHA256

    e94445dfe14fe3ff694fef9b36ea567524543da4db509aac91647c90dae389b0

  • SHA512

    d5fd313e3697eb82de6c79f6f687794a04794c171822b8d3ccc58e2bc58ac258e6e42e888a071375994e00551d7cba81f721dcf70bc60af197fd87ba8e963d29

  • SSDEEP

    6144:8uIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYhuIlWqBZ:X6Wq4aaE6KwyF5L0Y2D1PqLb6Wq3

Score
10/10
discoveryevasionupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e94445dfe14fe3ff694fef9b36ea567524543da4db509aac91647c90dae389b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e94445dfe14fe3ff694fef9b36ea567524543da4db509aac91647c90dae389b0N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\svhost.exe
      C:\Windows\svhost.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3816
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4260,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=3944 /prefetch:8
    1⤵
      PID:3432

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\PerfLogs.exe
            Filesize

            345KB

            MD5

            7420c23f616e50c4a2d8c3da28607518

            SHA1

            538e820169f263842328d77a47a8124aab3dc7ce

            SHA256

            3ed6acee354f1352573bea1feb067a835ab5cb282bdf4e33fa0852a09f85d055

            SHA512

            a5e306d049eb0d1f2e930b9e49d0027e8a56d488514c6d0e1039ffc8bf9433243bf8aadcbaa403c12a7ab870734fdd7a3df3bd77a0a4e7a434e27367550a18a5

            Download Submit

          • C:\Windows\Driver.db
            Filesize

            82B

            MD5

            c2d2dc50dca8a2bfdc8e2d59dfa5796d

            SHA1

            7a6150fc53244e28d1bcea437c0c9d276c41ccad

            SHA256

            b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

            SHA512

            6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

            Download Submit

          • C:\Windows\svhost.exe
            Filesize

            345KB

            MD5

            63fd7dc73da28982c6583fa66a122a69

            SHA1

            d5b93f0193d5010fc315277e69692ac0561ac31c

            SHA256

            421803d1f1b4a0ff681b8ef540b8458589783376c2b7fdfa8c41847de8d5d666

            SHA512

            9a3f0899ee94fb848886fa5130948ae86262855394ec2d3865ec28ee37a0f602d23bd063a3255b91d9c13f74a615c8b5311689081a81b540c3eab70a528fbd59

            Download Submit

          • memory/1384-0-0x0000000000400000-0x0000000000523000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1384-689-0x0000000000400000-0x0000000000523000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3816-5-0x0000000000400000-0x0000000000523000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3816-1066-0x0000000000400000-0x0000000000523000-memory.dmp

            Filesize

            1.1MB

            Download