Overview

overview

10

Static

static

10

The-MALWAR...2aed41

windows10-ltsc 2021-x64

3

The-MALWAR...b54692

windows10-ltsc 2021-x64

3

The-MALWAR...00f6c1

windows10-ltsc 2021-x64

3

The-MALWAR...ka.exe

windows10-ltsc 2021-x64

7

The-MALWAR...te.apk

windows10-ltsc 2021-x64

3

The-MALWAR...en.apk

windows10-ltsc 2021-x64

3

The-MALWAR...4a.apk

windows10-ltsc 2021-x64

3

The-MALWAR...if.exe

windows10-ltsc 2021-x64

10

The-MALWAR...il.exe

windows10-ltsc 2021-x64

8

The-MALWAR...at.exe

windows10-ltsc 2021-x64

3

The-MALWAR...an.exe

windows10-ltsc 2021-x64

The-MALWAR...sa.doc

windows10-ltsc 2021-x64

1

The-MALWAR...er.com

windows10-ltsc 2021-x64

The-MALWAR...98.exe

windows10-ltsc 2021-x64

3

The-MALWAR...aj.exe

windows10-ltsc 2021-x64

7

The-MALWAR...jB.exe

windows10-ltsc 2021-x64

7

The-MALWAR...om.exe

windows10-ltsc 2021-x64

6

The-MALWAR...1C.exe

windows10-ltsc 2021-x64

5

The-MALWAR...90.exe

windows10-ltsc 2021-x64

9

The-MALWAR...6a.exe

windows10-ltsc 2021-x64

9

The-MALWAR...it.exe

windows10-ltsc 2021-x64

3

The-MALWAR...ng.exe

windows10-ltsc 2021-x64

7

The-MALWAR....a.exe

windows10-ltsc 2021-x64

10

The-MALWAR...il.vbs

windows10-ltsc 2021-x64

10

The-MALWAR...1A.exe

windows10-ltsc 2021-x64

8

The-MALWAR...as.exe

windows10-ltsc 2021-x64

6

The-MALWAR...te.exe

windows10-ltsc 2021-x64

7

The-MALWAR....a.exe

windows10-ltsc 2021-x64

3

The-MALWAR...le.exe

windows10-ltsc 2021-x64

3

The-MALWAR...us.exe

windows10-ltsc 2021-x64

10

The-MALWAR...er.exe

windows10-ltsc 2021-x64

7

The-MALWAR...ff.exe

windows10-ltsc 2021-x64

3

Analysis

  • max time kernel
    1796s
  • max time network
    1664s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    13-12-2024 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Worm/Heap41A.exe

  • Size

    451KB

  • MD5

    4f30003916cc70fca3ce6ec3f0ff1429

  • SHA1

    7a12afdc041a03da58971a0f7637252ace834353

  • SHA256

    746153871f816ece357589b2351818e449b1beecfb21eb75a3305899ce9ae37c

  • SHA512

    e679a0f4b7292aedc9cd3a33cf150312ea0b1d712dd8ae8b719dedf92cc230330862f395e4f8da21c37d55a613d82a07d28b7fe6b5db6009ba8a30396caa5029

  • SSDEEP

    12288:gr3ZBIRB4heEAiRsdUaaSV2qmw0iOanTrA:8ZB2B4hlIMSIqDrA

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Worm\Heap41A.exe
    "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Worm\Heap41A.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe" MicrosoftPowerPoint\install.txt
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Drops autorun.inf file
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:6092
      • C:\heap41a\svchost.exe
        C:\heap41a\svchost.exe C:\heap41a\std.txt
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\heap41a\svchost.exe
          C:\heap41a\svchost.exe C:\heap41a\script1.txt
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          PID:3344
        • C:\heap41a\svchost.exe
          C:\heap41a\svchost.exe C:\heap41a\reproduce.txt
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          PID:3320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\2.mp3
    Filesize

    55KB

    MD5

    996867ee0cfd71ede0cda93e57789c75

    SHA1

    15abbe1362ca9ae1889ea56d3ea07f793ee76665

    SHA256

    c3d83fa6b168c9c53b7f9f4324be6f8053e47047e63199c05665a6bad5a587ed

    SHA512

    e4c3505e9f3c3f4469c858f08e612982e0a24b05b0c3e5aee5c63cd028b48f232c4e7470be50f3443f80b09aa74f2f9e59fc78fd8aba52777a1811033fb6cf00

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\Icon.ico
    Filesize

    318B

    MD5

    e4231534c2813fda3a98d6d6b5b8b3b5

    SHA1

    c22ac56a296756120228cfe77fcc17b9000934c9

    SHA256

    143c93447046030853857088e31ee6c121d63fdfd03f10d36dfdcf6f0634ba43

    SHA512

    59aa526796c7e1de9bf2074fecae7b7520f34fd0f523bbb4c1f111b1b289f0a5bb7b94dc73fd8fec6187076c10d87a56273a09c79c718e388fcbaf5f0dd676cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\Install.txt
    Filesize

    8KB

    MD5

    c0f4dbba918d1c7507f21463c422f29e

    SHA1

    daf5a4e8b449dddd98cfa54c75098c150576a8f6

    SHA256

    4fb1eb0cab27dba73bb042ddfbe470e7c75da6a126d934c3a5650959a7afc849

    SHA512

    fd50f5a631f394fb3d8220c1af4dcc79f66814c56727e3d845fe02ff8dc320927d430177b826f29cff49b55446a52e11be208de76a3f78d02e6b217906c7464a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\drivelist.txt
    Filesize

    72B

    MD5

    343c6f5dcbc9f70509a2659b6dcca34e

    SHA1

    573ce994df7f433ba8d897a03b8beebc1a1e80b7

    SHA256

    375c1af6f2d1fec8595df303bced33d9f80da01fea7d4968e24ef64dfccf78bd

    SHA512

    4b92a1a45c2f1d00eaa58feda3a0de94d91727824c5ec5472f0eb4ba0ee8edfcae8f05b01bacba5263e870f79e5737137f75434e009260d53853b7f86f94ba4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\pathList.txt
    Filesize

    52B

    MD5

    0508bce1cc472b6b9e899a51e6d16a67

    SHA1

    bfeecf6312f868157503c5a9acf31ccc656e9229

    SHA256

    7786563108861b5f45b09745fca9d139f1a8d2db29d63f4a2db67e90096baed5

    SHA512

    6c5bceada4ce2f612d6b887a6ecb082ba6ac3b2e0f42fab77a7c23e297f2d1fe9fbed1b5da6d974229dcce8091be720ce8345b9ee737149ab41dae196d626634

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe
    Filesize

    233KB

    MD5

    155e389a330dd7d7e1b274b8e46cdda7

    SHA1

    6445697a6db02e1a0e76efe69a3c87959ce2a0d8

    SHA256

    6390a4374f8d00c8dd4247e271137b2fa6259e0678b7b8bd29ce957058fd8f05

    SHA512

    df8d78cf27e4a384371f755e6d0d7333c736067aeeb619e44cbc5d88381bdcbc09a9b8eeb8aafb764fc1aaf39680e387b3bca73021c6af5452c0b2e03f0e8091

    Download Submit

  • C:\heap41a\reproduce.txt
    Filesize

    834B

    MD5

    4caff3a1fff3c9a4184dc586cf232265

    SHA1

    95603f1d5febc408dd421b96f8cc7d65b617d073

    SHA256

    dbc040d5f5261175089971582de1761569f6e1bd1f5dfc14cb4d7810cf192d6b

    SHA512

    dab3dbf898e8acb3e55c4411363f807be9ff67c20ef44c8d1505de689f8ba66e4beb7c57ee2fb0e04db1fb89b810beda6e854cd6063c84821f7ca827266ee95b

    Download Submit

  • C:\heap41a\script1.txt
    Filesize

    3KB

    MD5

    83dcab5f77dbe3c6309957368da10d79

    SHA1

    44f588cbe597aae47aea2a4c14389d363269f418

    SHA256

    82ee86007227f285a1a1827d076c0abfeceb6fcc29960a9972114744fb37e0cd

    SHA512

    16fc76355027d45e416856bbc2d510acec15a7043f071d97f0c4cbf5752c01360962c31d28a3baff94adc81b4dbce71c15d33ccfa9f987a1df5c7b2e3ef1e034

    Download Submit

  • C:\heap41a\std.txt
    Filesize

    439B

    MD5

    ae294ea720e7714ba05305b1eb2c371c

    SHA1

    f491b0abd1e180438a63890fdfbfc22f24e7be39

    SHA256

    ccc6e118a00a915962f2944dbc24dd9dd190e1a05923569f8b7c270d0195c9dd

    SHA512

    dca8c2564c8ee7e08755043a267492ca9a09e0c276bea4b2849905156c449edd31913b9b1ebd5005bda504d96afd873a59aafbef25d2b2e99cf295d7cc2f879d

    Download Submit

  • memory/3320-92-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-74-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-108-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-106-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-104-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-48-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-102-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-100-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-52-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-98-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-54-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-96-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-56-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-94-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-58-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-90-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-60-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-88-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-62-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-86-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-64-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-84-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-66-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-82-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-68-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-80-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-70-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-72-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-78-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3320-76-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-75-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-91-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-109-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-77-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-71-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-79-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-69-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-81-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-67-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-83-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-65-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-85-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-63-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-87-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-61-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-89-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-59-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-73-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-107-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-93-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-57-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-95-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-55-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-97-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-53-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-99-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-101-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-49-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-103-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-47-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-105-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/5012-26-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/5116-45-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/6092-25-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/6092-39-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download