Overview

overview

8

Static

static

5

70bdf2285b...b9.exe

windows7-x64

8

70bdf2285b...b9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe

  • Size

    28KB

  • MD5

    f284ea6cbc01384673733702d26540ce

  • SHA1

    19534d5826f0bed9844d7236cde79bae54b59caa

  • SHA256

    70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9

  • SHA512

    13358b816cb883680af765ad1e1f7f6baa1356c40395d9a11dfd8a610171bbe3aeb52790f8c66277b5ee798746fe28984d7ecac86c621952d3e39c0295387283

  • SSDEEP

    384:2/mPAVyp+6srYYCk2gNPapIyFpOQGR9zos2clAKLHRN74u56/R9zZwu91:J4quFCk2LXXOQ69zbjlAAX5e9z7

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 12 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 6 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 6 IoCs
  • Program crash 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe
    "C:\Users\Admin\AppData\Local\Temp\70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Windows\{38455CD0-E3AC-4856-91A3-1A8F4213E5E4}.exe
      C:\Windows\{38455CD0-E3AC-4856-91A3-1A8F4213E5E4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\{74777BA8-D93F-4965-BC6E-4A13A79877FB}.exe
        C:\Windows\{74777BA8-D93F-4965-BC6E-4A13A79877FB}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:780
        • C:\Windows\{8E2B681B-A481-4772-A6F7-E3A532A04871}.exe
          C:\Windows\{8E2B681B-A481-4772-A6F7-E3A532A04871}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2108
          • C:\Windows\{D8E3A2F9-A9B2-42f4-8DCE-838E9C69E646}.exe
            C:\Windows\{D8E3A2F9-A9B2-42f4-8DCE-838E9C69E646}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2940
            • C:\Windows\{4CEF416F-9C0C-4bc4-8F9A-C6FBD2415E8B}.exe
              C:\Windows\{4CEF416F-9C0C-4bc4-8F9A-C6FBD2415E8B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:884
              • C:\Windows\{42EDF496-7B76-41b9-B48E-4F8A42FF46E8}.exe
                C:\Windows\{42EDF496-7B76-41b9-B48E-4F8A42FF46E8}.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2216
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 252
                7⤵
                • Program crash
                PID:2304
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 252
              6⤵
              • Program crash
              PID:1296
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 252
            5⤵
            • Program crash
            PID:2104
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 252
          4⤵
          • Program crash
          PID:1204
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 252
        3⤵
        • Program crash
        PID:696
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 252
      2⤵
      • Program crash
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{38455CD0-E3AC-4856-91A3-1A8F4213E5E4}.exe
    Filesize

    28KB

    MD5

    ea9e18c94879710d2ff1db79fd2d57dc

    SHA1

    1579c280e1684ca97e3b33b209aae5636e58b2c8

    SHA256

    c917f9c67e546458d49ea7c801ea2b71308211e8962c09d7ffd6b8bd3826d1e3

    SHA512

    8f981b66e49b14ac854b7e78b567fd09c043bc2febfe6dc68448ed0b346cb6027204b8179b351cbb8d01280f71d65f673a70a308877740083f2260c14a924cf0

    Download Submit

  • C:\Windows\{42EDF496-7B76-41b9-B48E-4F8A42FF46E8}.exe
    Filesize

    28KB

    MD5

    faed142b7f50023000a6f005d319b7b3

    SHA1

    88f8beec434486b6939f5aa5f0af1665db9d987a

    SHA256

    95b6b24dfbb2678f79bb83e5c176ba30a7c327baf27dc98a4f8c90d6953735da

    SHA512

    20ec1109adc886fdf8ee48d9e649f3304be09cdba845945edb89b5343af1b0cd25e6223c43af8ec94ce7b97cd48ed77153d68346a0fd3a69bcf547639fa4e14b

    Download Submit

  • C:\Windows\{4CEF416F-9C0C-4bc4-8F9A-C6FBD2415E8B}.exe
    Filesize

    28KB

    MD5

    1416b281a58308466ebfc067af344d0a

    SHA1

    3a4ac11b61d4cc2dea75337d18b891a73d6df1a9

    SHA256

    22f2c7c8c3df056cdf72f16717f0ca43504321179f5455ad83cbc12993a08237

    SHA512

    3ca71baf19d4cc4b1ab009b48025e6ea2cb7a2adfd0f086cacb829eb011a6043ee8fbb1300a6e9521682c8845530d6bc7c0232172c89690244de967a50f28918

    Download Submit

  • C:\Windows\{74777BA8-D93F-4965-BC6E-4A13A79877FB}.exe
    Filesize

    28KB

    MD5

    4732cef595427b79411f4336b34d3042

    SHA1

    b3bc9bb545f43972941efcef945f86a691562913

    SHA256

    11f75327a63773f1e24c0b7376e79b398cd4c22a37efb40e02829da1f242d1f4

    SHA512

    7f74b61259916d0146d506e23842c57dd3a4ce55dce290cd9aafd765e24dabe894499e641148c370f557776a0a93e9d5a298728773c4d9688b3a376be7205f91

    Download Submit

  • C:\Windows\{8E2B681B-A481-4772-A6F7-E3A532A04871}.exe
    Filesize

    28KB

    MD5

    4419c75fd9308d917848da0c2a85e159

    SHA1

    4d5bde11f0c982c9f2a91516df689f8639bcb971

    SHA256

    49172519d6e6c3bbb55abfb95a10c5e49c4f41dca79dc278e59b9c548cffa01a

    SHA512

    c92ef4476fc6d585e72a387b5c1e76ae757b9a46a40a57502787180bf896023e94747a97a4bd2367a9f9048e512676f43ede1f07bfbee8fb0da205fecac0e231

    Download Submit

  • C:\Windows\{D8E3A2F9-A9B2-42f4-8DCE-838E9C69E646}.exe
    Filesize

    28KB

    MD5

    567edef012f98a45273f70156e51105d

    SHA1

    ab974fe3eb2ca4a8bc7798d857f14fef7c96e68d

    SHA256

    38f018985320c3d3e55aa247f195c4075de15f7030ad1a8ae08ba305d73ecba2

    SHA512

    68fc8f6db6696758313737c5fb8c5bc0d2781918d8691743cc26af77fc3c2d69e5ce6b2e14d3f80f2e2e1b663bdd42c7c1578a9ef39076221be42998c42c8167

    Download Submit

  • memory/780-29-0x0000000000290000-0x00000000002A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/780-19-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/780-32-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/884-63-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2108-43-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2108-31-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2108-42-0x00000000002B0000-0x00000000002C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2328-20-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2328-17-0x0000000000300000-0x0000000000312000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2900-9-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2900-7-0x0000000000320000-0x0000000000332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2900-1-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2900-0-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2940-53-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download