Overview

overview

7

Static

static

5

0475d9167f...1N.exe

windows7-x64

7

0475d9167f...1N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2024, 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0475d9167fe8b67e04b21f4a20f8edf0360707ebb58f58df5961d2cc0f761071N.exe

  • Size

    20KB

  • MD5

    cd273cbe1f1d6ee86861b4193460dca0

  • SHA1

    f517e387635d76c6afdc7e3b13629d8b78281ab8

  • SHA256

    0475d9167fe8b67e04b21f4a20f8edf0360707ebb58f58df5961d2cc0f761071

  • SHA512

    ebb331cdf36ac360d53b641ba5411c3a64d03aa8ad0408f27f03cc7901faac5a63123493b11d01a7916b2928699c46639ad2f9131aaed534598d326351db238e

  • SSDEEP

    192:VjUWFh4fvYGIQnsA6psQXFaNJhLkwcud2DH9VwGfct1hM5EKU:9KE7pXaNJawcudoD7U7S5Ev

Score
7/10
discoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0475d9167fe8b67e04b21f4a20f8edf0360707ebb58f58df5961d2cc0f761071N.exe
    "C:\Users\Admin\AppData\Local\Temp\0475d9167fe8b67e04b21f4a20f8edf0360707ebb58f58df5961d2cc0f761071N.exe"
    1⤵
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWIRI.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xplorer" /t REG_SZ /d "C:\Windows\xplorer\xplorer.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2116
    • C:\Windows\xplorer\xplorer.exe
      "C:\Windows\xplorer\xplorer.exe"
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\XWIRI.bat
    Filesize

    124B

    MD5

    4e6e99d38b1264af2b53a68c7cd6d648

    SHA1

    55ffe17732d1d9c539d702a1311ef9674fe7b3cf

    SHA256

    168d9cdf4849fde3b4817db207e60934b6c877be439289f3fb3a4eb9e4326ff0

    SHA512

    bde21abed1bfc3dbdd6afc83614aa27c3f33dfbb434e139523ac57ecd84875b0e96a241f5828eda0b055f787ec7f95850b0f4ab0ee752ac36484b2bfd78a859d

    Download Submit

  • \Windows\xplorer\xplorer.exe
    Filesize

    20KB

    MD5

    bfd29e785d863a06458b264671e10071

    SHA1

    6014dfd4178ac572e9bd15abdb56b0c07de17f7c

    SHA256

    52e63b6a1ac258572d4b913400598ec78d63ca067f6b578d5da19b5ab80b6cca

    SHA512

    5f85f5de2f4ed00470a1ac7be076379486b91cc2725bbcdd8e5142c32ac9c6ca17877be16dd52ef765b138f843602706e35fc6d54b98a91496a18df3c81e4c76

    Download Submit

  • memory/2520-0-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2520-40-0x00000000005A0000-0x00000000005AB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2520-39-0x00000000005A0000-0x00000000005AB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2520-44-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2520-45-0x00000000005A0000-0x00000000005AB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2520-46-0x00000000005A0000-0x00000000005AB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2736-48-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download