Overview

overview

8

Static

static

5

451448eaff...4N.exe

windows7-x64

8

451448eaff...4N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2025 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    451448eaffdd5587f404266c0bae658f061d3b89f26c3ab59170a6c928917cf4N.exe

  • Size

    28KB

  • MD5

    bd1042965381879585e3b38179baa6d0

  • SHA1

    e512404359a32704fe3881035488e8f746584f1f

  • SHA256

    451448eaffdd5587f404266c0bae658f061d3b89f26c3ab59170a6c928917cf4

  • SHA512

    9e11b08ade3d0a488c15862912151847cab8fb7ff08ed9cf5e9dd8940e2a360dcb106144de230937a921c0a52eed1486f4d8fd4637ceea0377e852a481507e6f

  • SSDEEP

    384:2/mPAVyp+6srYYCk2gNPapIuFpOQGR9zos2clAKLHRN74u56/R9zZwu9P:J4quFCk2LXXOQ69zbjlAAX5e9zh

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 9 IoCs
  • Program crash 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\451448eaffdd5587f404266c0bae658f061d3b89f26c3ab59170a6c928917cf4N.exe
    "C:\Users\Admin\AppData\Local\Temp\451448eaffdd5587f404266c0bae658f061d3b89f26c3ab59170a6c928917cf4N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Windows\{2C81EFCE-6069-4536-9816-E85AB1441022}.exe
      C:\Windows\{2C81EFCE-6069-4536-9816-E85AB1441022}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Windows\{CB8439E1-9F06-482d-AD88-4FFB1611A5F7}.exe
        C:\Windows\{CB8439E1-9F06-482d-AD88-4FFB1611A5F7}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4012
        • C:\Windows\{4E751531-A4E9-4532-927E-177F9030179C}.exe
          C:\Windows\{4E751531-A4E9-4532-927E-177F9030179C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1596
          • C:\Windows\{777B328D-A91F-4480-99A5-1215318A2F89}.exe
            C:\Windows\{777B328D-A91F-4480-99A5-1215318A2F89}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2844
            • C:\Windows\{FEFBC35C-4045-478b-9417-6034D72EF2F2}.exe
              C:\Windows\{FEFBC35C-4045-478b-9417-6034D72EF2F2}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1500
              • C:\Windows\{C1015EE4-3A80-4e14-B412-A6958FAE3EE7}.exe
                C:\Windows\{C1015EE4-3A80-4e14-B412-A6958FAE3EE7}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4348
                • C:\Windows\{6772ADE7-7C77-4039-878A-13F728F07E5C}.exe
                  C:\Windows\{6772ADE7-7C77-4039-878A-13F728F07E5C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2348
                  • C:\Windows\{7237C514-40F5-4ecf-B270-70F836A8B770}.exe
                    C:\Windows\{7237C514-40F5-4ecf-B270-70F836A8B770}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:3420
                    • C:\Windows\{CDC5E6EF-A4DE-4196-B6DA-D0E88FECC5A1}.exe
                      C:\Windows\{CDC5E6EF-A4DE-4196-B6DA-D0E88FECC5A1}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2416
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 804
                      10⤵
                      • Program crash
                      PID:3120
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 752
                    9⤵
                    • Program crash
                    PID:4572
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 780
                  8⤵
                  • Program crash
                  PID:1928
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 552
                7⤵
                • Program crash
                PID:740
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 772
              6⤵
              • Program crash
              PID:5056
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 796
            5⤵
            • Program crash
            PID:5068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 788
          4⤵
          • Program crash
          PID:3852
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 752
        3⤵
        • Program crash
        PID:4696
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 808
      2⤵
      • Program crash
      PID:2012
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4672 -ip 4672
    1⤵
      PID:4184
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 572 -ip 572
      1⤵
        PID:744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4012 -ip 4012
        1⤵
          PID:2640
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1596 -ip 1596
          1⤵
            PID:2368
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2844 -ip 2844
            1⤵
              PID:1116
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1500 -ip 1500
              1⤵
                PID:876
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4348 -ip 4348
                1⤵
                  PID:3156
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2348 -ip 2348
                  1⤵
                    PID:3380
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3420 -ip 3420
                    1⤵
                      PID:2696

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Windows\{2C81EFCE-6069-4536-9816-E85AB1441022}.exe
                      Filesize

                      28KB

                      MD5

                      0ee9a0aeeff045ba82616d7eeb18a919

                      SHA1

                      39b498d9d8feb2f92d1d0893706b6ebd9e34f78f

                      SHA256

                      75123dc3cd9917981f61baa579f2ea180da4ed1bd55e6dfaa9e8303b7c80421d

                      SHA512

                      0b834efa556dfbbafd58e89385fbdfc77ed6993e8247ea9f827f5b7f9affa8026d462c3dce8977c0e618e11019025fc82bf2347a7d57024cf68df91c6a9af70a

                      Download Submit

                    • C:\Windows\{4E751531-A4E9-4532-927E-177F9030179C}.exe
                      Filesize

                      28KB

                      MD5

                      88e9928ac02f152a2f655807fc9fb085

                      SHA1

                      99fd5f40818eedcc8e81e77eec8442d296a24ea7

                      SHA256

                      1d4536b10ad10f84c0adafd5dd71f0324f37cb27b2dcb083d6e71b6d7dc0b085

                      SHA512

                      96f56a5e434082c17e83bca95bb36ca863ffcbbdfe849c3d496435fefd1090ec24ee305226b7320773e24934363fc4b352bea670c9f4ca97f8ef16c5d44d679a

                      Download Submit

                    • C:\Windows\{6772ADE7-7C77-4039-878A-13F728F07E5C}.exe
                      Filesize

                      28KB

                      MD5

                      0637c8ee509602982772eb48c387bdb6

                      SHA1

                      72c11153b47f2280eaca39ea5fe879a9f35f6c0e

                      SHA256

                      56285fd3aae46c82c58ff00d61c95551305e75fe5a5f71894954d79ccb14caea

                      SHA512

                      1588d52b6f4b556265059da99a774cb4b8adf0c896eab6159c8f5482ced97ba6c84ae337ab9962bfe3d45808137b5a3f14a44bd74d9d6ddde823b4738def8b33

                      Download Submit

                    • C:\Windows\{7237C514-40F5-4ecf-B270-70F836A8B770}.exe
                      Filesize

                      28KB

                      MD5

                      e4fd203b400c049950f573679f2a0f53

                      SHA1

                      c3eb845ea91d81a44c6be4a3652cfc0084ffceac

                      SHA256

                      ce879f39eea92d323aebc393fdb4957b9d88b185f2b91a383b7aa6e7c988ea32

                      SHA512

                      1a6b971885404da5d7d36b0864e0d6af3a4ad4b9afb767eb5ef021fd94e04afedd3d7b9dfa6a4d6164278b659137380e93cd20b06b516981c9d596887b109343

                      Download Submit

                    • C:\Windows\{777B328D-A91F-4480-99A5-1215318A2F89}.exe
                      Filesize

                      28KB

                      MD5

                      d3558d13d94d71d6cf6e4023b24832c1

                      SHA1

                      939e27bdf89fb3aeb29275f8d4ff1fff0b2d3b27

                      SHA256

                      d60f644a7355d72772dbbbc84977cc96b2b7f73875eeb434eef5cf4dbf6e5746

                      SHA512

                      a29bc8adba318f820e8cf729434baab106441af940b873aa9220e1e73bb22a1be21ca4960e8a1d232dd1b8049af898689363e4ca0930f3d23a2e2967ad0c3faf

                      Download Submit

                    • C:\Windows\{C1015EE4-3A80-4e14-B412-A6958FAE3EE7}.exe
                      Filesize

                      28KB

                      MD5

                      06bee34ca7f836ba737279a8e5501ae9

                      SHA1

                      aeadac4ad77e53cdbed5bf99d1ab760c3f00a0f7

                      SHA256

                      539a7fccde366d83c9b9fb5267fccf3dc58f64ba02830c3d7c305e1b16c78998

                      SHA512

                      0b52392f5321e0dc35b77c29acd1d9f88fa54ce74506b7c5784b8f6b5806a4fe6cf3aaa99c8d606dde89b0f6c0bef03e4c5e6f1c1eff7e6889d1a10fa84979bb

                      Download Submit

                    • C:\Windows\{CB8439E1-9F06-482d-AD88-4FFB1611A5F7}.exe
                      Filesize

                      28KB

                      MD5

                      0ccb7ed34378164285f7afb869a173f9

                      SHA1

                      d49bfe2d10da016f1f453053e14d1df95584c440

                      SHA256

                      5524c0cd95d77a76117cc8a09d2571a2897370b8ba4ef2ca41f1a692b4ad6522

                      SHA512

                      c63ac462c0e7caa421c8c95b588c103cd4e025a4e60a04a5421abe88cb6d932a94ac46fccf4a568df9cb40d32261b2102493f69906c68fe16666d39a70178bf6

                      Download Submit

                    • C:\Windows\{CDC5E6EF-A4DE-4196-B6DA-D0E88FECC5A1}.exe
                      Filesize

                      28KB

                      MD5

                      ec14fe5cbb4c0bc830063f3fdb3c6b85

                      SHA1

                      a41336fbf9f286c3d794abd1bcb1c3703c512318

                      SHA256

                      e36dfde2be3341922af0cf5204203730b2bc74cefbf418baefea6d133379e0ba

                      SHA512

                      37f051552d0abe59d170b4d4e13bb57ed53c26c73ce4a99b820469f80a2b8c7d009d11cce1b8e4a2ba9cacf67b1267e7b5c3f1fd3ea75e74b3aa7b7cb4239ad3

                      Download Submit

                    • C:\Windows\{FEFBC35C-4045-478b-9417-6034D72EF2F2}.exe
                      Filesize

                      28KB

                      MD5

                      f8bee0ed82515b26e1e90a2818de92d5

                      SHA1

                      e185b72a71fa09e634db8510dc6c9513175c63b3

                      SHA256

                      e5187f5650c4657f57c863c58a9515e75cafcd2b9f11f06535101883ea02035d

                      SHA512

                      4fc4799168c09a124996147cdf10c54e64efdd70301c53eb177b0b2fac3758d361d95c6ef2dffde8005922193600e64dc20b7047380d21e044682faf0474953c

                      Download Submit

                    • memory/572-12-0x0000000000400000-0x0000000000412000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/1500-36-0x0000000000400000-0x0000000000412000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/1596-24-0x0000000000400000-0x0000000000412000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/2348-48-0x0000000000400000-0x0000000000412000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/2844-30-0x0000000000400000-0x0000000000412000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3420-54-0x0000000000400000-0x0000000000412000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/4012-18-0x0000000000400000-0x0000000000412000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/4348-42-0x0000000000400000-0x0000000000412000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/4672-0-0x0000000000400000-0x0000000000412000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/4672-6-0x0000000000400000-0x0000000000412000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/4672-1-0x0000000000400000-0x0000000000412000-memory.dmp

                      Filesize

                      72KB

                      Download