Overview

overview

10

Static

static

10

0c3b09213f...3c.exe

windows7-x64

8

0dab0428b4...50.exe

windows7-x64

10

14d09a259f...32.exe

windows7-x64

10

16c49d6775...56.exe

windows7-x64

7

1d241bd0b7...f4.exe

windows7-x64

9

2.exe

windows7-x64

6

287a6b75d1...ad.exe

windows7-x64

10

35b0676421...82.exe

windows7-x64

10

39deb2f02f...9f.exe

windows7-x64

8

4.exe

windows7-x64

7

4a0f399840...33.exe

windows7-x64

10

5.exe

windows7-x64

8

53bdaf567e...fc.exe

windows7-x64

7

6.exe

windows7-x64

5

646677375b...36.exe

windows7-x64

9

6dfb9490b1...f8.exe

windows7-x64

6

7.exe

windows7-x64

10

71a20e2700...db.exe

windows7-x64

3

835b0ef8f5...35.exe

windows7-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

b15b78937c...ac.exe

windows7-x64

7

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

b3dc1bb1c7...1b.exe

windows7-x64

5

b4e3091d31...81.exe

windows7-x64

10

c1b35d3d70...c3.exe

windows7-x64

10

caa5f52a78...78.exe

windows7-x64

10

d2878de61f...0b.exe

windows7-x64

7

dbadeff4af...30.exe

windows7-x64

10

f5d893afc4...e9.exe

windows7-x64

9

Analysis

  • max time kernel
    303s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe

  • Size

    1.6MB

  • MD5

    d644eb3560601aa504917b281306a350

  • SHA1

    b43554ea4fa8eed7a9d36e4172546487b627a45d

  • SHA256

    6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8

  • SHA512

    c9a2100bd23d583d63c5fd37251b81407036f422d5cdcf2386419d78eaf25fbf2fa7bc6d34ef33f2b427ead5004ce92da9184a70d5c202d2dcb12571b403fc46

  • SSDEEP

    24576:9CfBXFlrGTi+VIeTZBClhojLEObk5HW3x0Ea0R5fVAM8lP8bCtkQtdMVW30Qx8fZ:IJvGTiRl2U+kHa31LfVAMd7BW+AamO

Score
6/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
    defense_evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe
    "C:\Users\Admin\AppData\Local\Temp\6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C "mkdir %userprofile%\SystemApps"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2248
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C "copy C:\Users\Admin\AppData\Local\Temp\6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe %userprofile%\SystemApps\AppSrv.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3012
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C "attrib +H %userprofile%\SystemApps"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H C:\Users\Admin\SystemApps
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2952
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C "REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V SystemApps /t REG_SZ /F /D %userprofile%\SystemApps\AppSrv.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V SystemApps /t REG_SZ /F /D C:\Users\Admin\SystemApps\AppSrv.exe
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1740
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/328-4-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/328-5-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2128-0-0x0000000000400000-0x000000000086F000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2128-3-0x0000000000400000-0x000000000086F000-memory.dmp

    Filesize

    4.4MB

    Download