1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
Size

739KB
MD5

8fc37190cc209d82cc01dc571c3dafd6
SHA1

a0903c827dd10d49d0f9decb4b335b7ddf5a21b8
SHA256

1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03
SHA512

d92d1e26597165d9ad8d731415fbef3ec3315bd5cc30b7e2ac5a07208a1b9d4c28ea7cb8a04173cea698e2b887b918f71b37c6adbc2aafbff12024d41b2126fd
SSDEEP

12288:F8vSZGaEdFgPDodfkdfJklofnwc+6LUyqvc1IvyXWUZl/ylmD1Am0Qsei9cOh6EO:aqZGaEdFgPEdqa6YcNIDvc1I25ZBDotS

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2368	update.exe

Loads dropped DLL 4 IoCs

pid	Process
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
2368	update.exe
2368	update.exe
2368	update.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/808-0-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-14-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-15-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-16-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-17-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-18-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-19-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-20-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-21-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-22-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-23-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-24-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-25-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-26-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-27-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/808-28-0x0000000000400000-0x00000000006B3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
2368	update.exe
2368	update.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 2368	808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe	30
PID 808 wrote to memory of 2368	808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe	30
PID 808 wrote to memory of 2368	808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe	30
PID 808 wrote to memory of 2368	808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe	30
PID 808 wrote to memory of 2368	808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe	30
PID 808 wrote to memory of 2368	808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe	30
PID 808 wrote to memory of 2368	808	1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe	30

C:\Users\Admin\AppData\Local\Temp\1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe
"C:\Users\Admin\AppData\Local\Temp\1ffe5563c58dd0e8ce1c628d3e4c2a069cfb202def7aa64331ad7dfcd3ba4f03.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\update.exe
  "C:\Users\Admin\AppData\Local\Temp\update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
19B

MD5
113296bd7076d5e4b3b4426f3ad4ab88

SHA1
97fdf1d7cd2bfb7b642d0517243c0eb6ddb07ec0

SHA256
f4a3115f22939184dc537cddc768ff933a7bf1a47a736f2f754117ca2d947648

SHA512
5953fc651b3eb9e7079aee3dce8a47762db1ef0a629f0bc12b47ad8f70673c07c958641fee85eab1430af768c030a6e42c9cbebc48038de5d6ea5e6ea5a47ef8

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
964KB

MD5
6a023ed121b934d982dcda5e5c518bbc

SHA1
126435f1e03b46c1607e8c14e74814e867f61523

SHA256
1a931b34a8b65bb15570f13981c268c3adb494fe4bc4abd7046dc634c04e89da

SHA512
92fe01c3da2c0a69471a52b0bce161f8ae36a96b0ccc57393abe6b3e3c140284b07d462c1c3282645eb6b756b7b0739216aab9e2a491740a0b98b6614bcc32bf

Download Submit
memory/808-19-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-14-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-15-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-16-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-17-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-18-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-0-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-20-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-21-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-22-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-23-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-24-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-25-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-26-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-27-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/808-28-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download