Analysis

  • max time kernel
    147s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 21:25

General

  • Target

    The-MALWARE-Repo-master/Worm/Heap41A.exe

  • Size

    451KB

  • MD5

    4f30003916cc70fca3ce6ec3f0ff1429

  • SHA1

    7a12afdc041a03da58971a0f7637252ace834353

  • SHA256

    746153871f816ece357589b2351818e449b1beecfb21eb75a3305899ce9ae37c

  • SHA512

    e679a0f4b7292aedc9cd3a33cf150312ea0b1d712dd8ae8b719dedf92cc230330862f395e4f8da21c37d55a613d82a07d28b7fe6b5db6009ba8a30396caa5029

  • SSDEEP

    12288:gr3ZBIRB4heEAiRsdUaaSV2qmw0iOanTrA:8ZB2B4hlIMSIqDrA

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 18 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 37 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Worm\Heap41A.exe
    "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Worm\Heap41A.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe" MicrosoftPowerPoint\install.txt
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops autorun.inf file
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\heap41a\svchost.exe
        C:\heap41a\svchost.exe C:\heap41a\std.txt
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\heap41a\svchost.exe
          C:\heap41a\svchost.exe C:\heap41a\script1.txt
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          PID:3028
        • C:\heap41a\svchost.exe
          C:\heap41a\svchost.exe C:\heap41a\reproduce.txt
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          PID:848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\2.mp3

    Filesize

    55KB

    MD5

    996867ee0cfd71ede0cda93e57789c75

    SHA1

    15abbe1362ca9ae1889ea56d3ea07f793ee76665

    SHA256

    c3d83fa6b168c9c53b7f9f4324be6f8053e47047e63199c05665a6bad5a587ed

    SHA512

    e4c3505e9f3c3f4469c858f08e612982e0a24b05b0c3e5aee5c63cd028b48f232c4e7470be50f3443f80b09aa74f2f9e59fc78fd8aba52777a1811033fb6cf00

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\Icon.ico

    Filesize

    318B

    MD5

    e4231534c2813fda3a98d6d6b5b8b3b5

    SHA1

    c22ac56a296756120228cfe77fcc17b9000934c9

    SHA256

    143c93447046030853857088e31ee6c121d63fdfd03f10d36dfdcf6f0634ba43

    SHA512

    59aa526796c7e1de9bf2074fecae7b7520f34fd0f523bbb4c1f111b1b289f0a5bb7b94dc73fd8fec6187076c10d87a56273a09c79c718e388fcbaf5f0dd676cd

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\Install.txt

    Filesize

    8KB

    MD5

    c0f4dbba918d1c7507f21463c422f29e

    SHA1

    daf5a4e8b449dddd98cfa54c75098c150576a8f6

    SHA256

    4fb1eb0cab27dba73bb042ddfbe470e7c75da6a126d934c3a5650959a7afc849

    SHA512

    fd50f5a631f394fb3d8220c1af4dcc79f66814c56727e3d845fe02ff8dc320927d430177b826f29cff49b55446a52e11be208de76a3f78d02e6b217906c7464a

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\drivelist.txt

    Filesize

    72B

    MD5

    343c6f5dcbc9f70509a2659b6dcca34e

    SHA1

    573ce994df7f433ba8d897a03b8beebc1a1e80b7

    SHA256

    375c1af6f2d1fec8595df303bced33d9f80da01fea7d4968e24ef64dfccf78bd

    SHA512

    4b92a1a45c2f1d00eaa58feda3a0de94d91727824c5ec5472f0eb4ba0ee8edfcae8f05b01bacba5263e870f79e5737137f75434e009260d53853b7f86f94ba4e

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\pathList.txt

    Filesize

    52B

    MD5

    0508bce1cc472b6b9e899a51e6d16a67

    SHA1

    bfeecf6312f868157503c5a9acf31ccc656e9229

    SHA256

    7786563108861b5f45b09745fca9d139f1a8d2db29d63f4a2db67e90096baed5

    SHA512

    6c5bceada4ce2f612d6b887a6ecb082ba6ac3b2e0f42fab77a7c23e297f2d1fe9fbed1b5da6d974229dcce8091be720ce8345b9ee737149ab41dae196d626634

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe

    Filesize

    233KB

    MD5

    155e389a330dd7d7e1b274b8e46cdda7

    SHA1

    6445697a6db02e1a0e76efe69a3c87959ce2a0d8

    SHA256

    6390a4374f8d00c8dd4247e271137b2fa6259e0678b7b8bd29ce957058fd8f05

    SHA512

    df8d78cf27e4a384371f755e6d0d7333c736067aeeb619e44cbc5d88381bdcbc09a9b8eeb8aafb764fc1aaf39680e387b3bca73021c6af5452c0b2e03f0e8091

  • C:\heap41a\reproduce.txt

    Filesize

    834B

    MD5

    4caff3a1fff3c9a4184dc586cf232265

    SHA1

    95603f1d5febc408dd421b96f8cc7d65b617d073

    SHA256

    dbc040d5f5261175089971582de1761569f6e1bd1f5dfc14cb4d7810cf192d6b

    SHA512

    dab3dbf898e8acb3e55c4411363f807be9ff67c20ef44c8d1505de689f8ba66e4beb7c57ee2fb0e04db1fb89b810beda6e854cd6063c84821f7ca827266ee95b

  • C:\heap41a\script1.txt

    Filesize

    3KB

    MD5

    83dcab5f77dbe3c6309957368da10d79

    SHA1

    44f588cbe597aae47aea2a4c14389d363269f418

    SHA256

    82ee86007227f285a1a1827d076c0abfeceb6fcc29960a9972114744fb37e0cd

    SHA512

    16fc76355027d45e416856bbc2d510acec15a7043f071d97f0c4cbf5752c01360962c31d28a3baff94adc81b4dbce71c15d33ccfa9f987a1df5c7b2e3ef1e034

  • C:\heap41a\std.txt

    Filesize

    439B

    MD5

    ae294ea720e7714ba05305b1eb2c371c

    SHA1

    f491b0abd1e180438a63890fdfbfc22f24e7be39

    SHA256

    ccc6e118a00a915962f2944dbc24dd9dd190e1a05923569f8b7c270d0195c9dd

    SHA512

    dca8c2564c8ee7e08755043a267492ca9a09e0c276bea4b2849905156c449edd31913b9b1ebd5005bda504d96afd873a59aafbef25d2b2e99cf295d7cc2f879d

  • memory/848-98-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-84-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-102-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-106-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-78-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-92-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-88-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-94-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-86-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-96-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-74-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-82-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-100-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-104-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-90-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/848-80-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1448-20-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/1744-70-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1744-58-0x0000000000140000-0x00000000001C6000-memory.dmp

    Filesize

    536KB

  • memory/1744-57-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2708-28-0x0000000000300000-0x0000000000386000-memory.dmp

    Filesize

    536KB

  • memory/2708-26-0x0000000000300000-0x0000000000386000-memory.dmp

    Filesize

    536KB

  • memory/2708-21-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2708-54-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2708-56-0x0000000000BB0000-0x0000000000C36000-memory.dmp

    Filesize

    536KB

  • memory/3028-79-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-91-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-89-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-93-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-87-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-95-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-85-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-97-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-83-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-99-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-81-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-101-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-77-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-103-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-66-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-105-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/3028-67-0x0000000000230000-0x00000000002B6000-memory.dmp

    Filesize

    536KB