Overview

overview

10

Static

static

3

LetsTryAna...e).exe

windows7-x64

10

LetsTryAna...e).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 21:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LetsTryAnal - Christy Mack (Anal With An Attitude).exe

  • Size

    524KB

  • MD5

    8100e3a84c64d7cafa56c1cc23883474

  • SHA1

    9e4296f449b4b9195eae1355ff9cced63fd0a7a4

  • SHA256

    2225d914a5b0d0e06c4b0daf473066d68143ea2dda10a6619d9734d2108c9a77

  • SHA512

    dcd68f6584f02d722086285383fd8b2503c41e404e728296008ea9c5e5d2b5305d17fe97077990430a30b8655700526e2f1cb3eb4d2451d29d40264d4e0cdbba

  • SSDEEP

    12288:goKUsL6A+fkDtVFB7eE6CU2pn2HGJNZhupdC8PPho:f/sXrU3Ca

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 10 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LetsTryAnal - Christy Mack (Anal With An Attitude).exe
    "C:\Users\Admin\AppData\Local\Temp\LetsTryAnal - Christy Mack (Anal With An Attitude).exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\java2.bat
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java2.bat" "
          4⤵
          • Drops startup file
          • System Location Discovery: System Language Discovery
          PID:3728
    • C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      2⤵
        PID:3396
      • C:\Windows\Temp\svhost.exe
        C:\Windows\Temp\svhost.exe
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4820
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            4⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svhost.exe" /t REG_SZ /d "C:\Windows\Temp\svhost.exe:*:Enabled:Windows Messanger" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4860
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svhost.exe" /t REG_SZ /d "C:\Windows\Temp\svhost.exe:*:Enabled:Windows Messanger" /f
            4⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:3044
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:816
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            4⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1480
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Xero\Dmu.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Xero\Dmu.exe:*:Enabled:Windows Messanger" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3648
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Xero\Dmu.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Xero\Dmu.exe:*:Enabled:Windows Messanger" /f
            4⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4552
      • C:\Windows\Temp\svhost.exe
        C:\Windows\Temp\svhost.exe
        2⤵
          PID:372
        • C:\Windows\Temp\svhost.exe
          C:\Windows\Temp\svhost.exe
          2⤵
            PID:4112

        Network

        • flag-us
          DNS
          104.219.191.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          104.219.191.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          69.190.18.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          69.190.18.2.in-addr.arpa
          IN PTR
          Response
          69.190.18.2.in-addr.arpa
          IN PTR
          a2-18-190-69deploystaticakamaitechnologiescom
        • flag-us
          DNS
          140.32.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          140.32.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          13.86.106.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          13.86.106.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          tazbox.zapto.org
          svhost.exe
          Remote address:
          8.8.8.8:53
          Request
          tazbox.zapto.org
          IN A
          Response
        • flag-us
          DNS
          217.106.137.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          217.106.137.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          tazbox.zapto.org
          svhost.exe
          Remote address:
          8.8.8.8:53
          Request
          tazbox.zapto.org
          IN A
          Response
        • flag-us
          DNS
          171.39.242.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          171.39.242.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          26.165.165.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          26.165.165.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          1tazbox.zapto.org
          svhost.exe
          Remote address:
          8.8.8.8:53
          Request
          1tazbox.zapto.org
          IN A
          Response
        • flag-us
          DNS
          18.134.221.88.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          18.134.221.88.in-addr.arpa
          IN PTR
          Response
          18.134.221.88.in-addr.arpa
          IN PTR
          a88-221-134-18deploystaticakamaitechnologiescom
        • flag-us
          DNS
          2tazbox.zapto.org
          svhost.exe
          Remote address:
          8.8.8.8:53
          Request
          2tazbox.zapto.org
          IN A
          Response
        • flag-us
          DNS
          3tazbox.zapto.org
          svhost.exe
          Remote address:
          8.8.8.8:53
          Request
          3tazbox.zapto.org
          IN A
          Response
          3tazbox.zapto.org
          IN A
          94.73.32.235
        • flag-us
          DNS
          172.214.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.214.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          4tazbox.zapto.org
          svhost.exe
          Remote address:
          8.8.8.8:53
          Request
          4tazbox.zapto.org
          IN A
          Response
          4tazbox.zapto.org
          IN A
          78.159.143.172
        • flag-us
          DNS
          42.56.20.217.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          42.56.20.217.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          29.243.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          29.243.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          5tazbox.zapto.org
          svhost.exe
          Remote address:
          8.8.8.8:53
          Request
          5tazbox.zapto.org
          IN A
          Response
        • flag-us
          DNS
          6tazbox.zapto.org
          svhost.exe
          Remote address:
          8.8.8.8:53
          Request
          6tazbox.zapto.org
          IN A
          Response
        • flag-us
          DNS
          7tazbox.zapto.org
          svhost.exe
          Remote address:
          8.8.8.8:53
          Request
          7tazbox.zapto.org
          IN A
          Response
        • flag-us
          DNS
          8tazbox.zapto.org
          svhost.exe
          Remote address:
          8.8.8.8:53
          Request
          8tazbox.zapto.org
          IN A
          Response
        • 94.73.32.235:3080
          3tazbox.zapto.org
          svhost.exe
          260 B
           5
        • 78.159.143.172:3080
          4tazbox.zapto.org
          svhost.exe
          260 B
           5
        • 8.8.8.8:53
          104.219.191.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          104.219.191.52.in-addr.arpa

        • 8.8.8.8:53
          69.190.18.2.in-addr.arpa
          dns
          70 B
           133 B
           1
          1

          DNS Request

          69.190.18.2.in-addr.arpa

        • 8.8.8.8:53
          140.32.126.40.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          140.32.126.40.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
           144 B
           1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          13.86.106.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          13.86.106.20.in-addr.arpa

        • 8.8.8.8:53
          tazbox.zapto.org
          dns
          svhost.exe
          62 B
           122 B
           1
          1

          DNS Request

          tazbox.zapto.org

        • 8.8.8.8:53
          217.106.137.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          217.106.137.52.in-addr.arpa

        • 8.8.8.8:53
          tazbox.zapto.org
          dns
          svhost.exe
          62 B
           122 B
           1
          1

          DNS Request

          tazbox.zapto.org

        • 8.8.8.8:53
          26.165.165.52.in-addr.arpa
          dns
          72 B
           146 B
           1
          1

          DNS Request

          26.165.165.52.in-addr.arpa

        • 8.8.8.8:53
          171.39.242.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          171.39.242.20.in-addr.arpa

        • 8.8.8.8:53
          1tazbox.zapto.org
          dns
          svhost.exe
          63 B
           123 B
           1
          1

          DNS Request

          1tazbox.zapto.org

        • 8.8.8.8:53
          18.134.221.88.in-addr.arpa
          dns
          72 B
           137 B
           1
          1

          DNS Request

          18.134.221.88.in-addr.arpa

        • 8.8.8.8:53
          2tazbox.zapto.org
          dns
          svhost.exe
          63 B
           123 B
           1
          1

          DNS Request

          2tazbox.zapto.org

        • 8.8.8.8:53
          3tazbox.zapto.org
          dns
          svhost.exe
          63 B
           79 B
           1
          1

          DNS Request

          3tazbox.zapto.org

          DNS Response

          94.73.32.235

        • 8.8.8.8:53
          172.214.232.199.in-addr.arpa
          dns
          74 B
           128 B
           1
          1

          DNS Request

          172.214.232.199.in-addr.arpa

        • 8.8.8.8:53
          4tazbox.zapto.org
          dns
          svhost.exe
          63 B
           79 B
           1
          1

          DNS Request

          4tazbox.zapto.org

          DNS Response

          78.159.143.172

        • 8.8.8.8:53
          42.56.20.217.in-addr.arpa
          dns
          71 B
           131 B
           1
          1

          DNS Request

          42.56.20.217.in-addr.arpa

        • 8.8.8.8:53
          29.243.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          29.243.111.52.in-addr.arpa

        • 8.8.8.8:53
          5tazbox.zapto.org
          dns
          svhost.exe
          63 B
           123 B
           1
          1

          DNS Request

          5tazbox.zapto.org

        • 8.8.8.8:53
          6tazbox.zapto.org
          dns
          svhost.exe
          63 B
           123 B
           1
          1

          DNS Request

          6tazbox.zapto.org

        • 8.8.8.8:53
          7tazbox.zapto.org
          dns
          svhost.exe
          63 B
           123 B
           1
          1

          DNS Request

          7tazbox.zapto.org

        • 8.8.8.8:53
          8tazbox.zapto.org
          dns
          svhost.exe
          63 B
           123 B
           1
          1

          DNS Request

          8tazbox.zapto.org

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\invs.vbs
          Filesize

          78B

          MD5

          c578d9653b22800c3eb6b6a51219bbb8

          SHA1

          a97aa251901bbe179a48dbc7a0c1872e163b1f2d

          SHA256

          20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

          SHA512

          3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\java.bat
          Filesize

          47B

          MD5

          81bf5400486e5da45ba0c6c1399d843f

          SHA1

          d70a7c4d3f3057a3ef5b8b1c764b40b3d3b4d59d

          SHA256

          d1a915a5e0286b1648a6e094f52813e2b5766dce3acf6342b297f7ca113545f1

          SHA512

          ebeee9eb5249ee1b278bf6c1fbcd91e4c073a241203f218dfa2edfa708a37679c6e6a78751de55b4640a024b32ce4389bd5d931401309163950cd15b4a91c140

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\java2.bat
          Filesize

          151B

          MD5

          ed28c618f7d8306e3736432b58bb5d27

          SHA1

          441e6dab70e31d9c599fcd9e2d32009038781b42

          SHA256

          d9aa03911260779b1f8a9b046a7ecf7aa87b0f13c762491fe8e06c482bac09a3

          SHA512

          4257d8839e881a9ab6de6230a9df1e81456cb796eb9ee2361789fa5fe4c81b297ed1c472f91d97bb0b2ebdb6acadb924617e6ffd32fc96d8ddcebf8fee4a7880

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rundll32-.txt
          Filesize

          524KB

          MD5

          8100e3a84c64d7cafa56c1cc23883474

          SHA1

          9e4296f449b4b9195eae1355ff9cced63fd0a7a4

          SHA256

          2225d914a5b0d0e06c4b0daf473066d68143ea2dda10a6619d9734d2108c9a77

          SHA512

          dcd68f6584f02d722086285383fd8b2503c41e404e728296008ea9c5e5d2b5305d17fe97077990430a30b8655700526e2f1cb3eb4d2451d29d40264d4e0cdbba

          Download Submit

        • C:\Windows\Temp\svhost.exe
          Filesize

          1.1MB

          MD5

          d881de17aa8f2e2c08cbb7b265f928f9

          SHA1

          08936aebc87decf0af6e8eada191062b5e65ac2a

          SHA256

          b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

          SHA512

          5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

          Download Submit

        • memory/2804-1-0x0000000074D30000-0x00000000752E1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2804-2-0x0000000074D30000-0x00000000752E1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2804-43-0x0000000074D30000-0x00000000752E1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2804-0-0x0000000074D32000-0x0000000074D33000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2804-36-0x0000000074D30000-0x00000000752E1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2804-35-0x0000000074D32000-0x0000000074D33000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4820-37-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-58-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-23-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-21-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-16-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-44-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-48-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-51-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-54-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-22-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-61-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-64-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-68-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-71-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-74-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-77-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4820-81-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.