1cb4c10677c85913e9aa8ed784055dc00c4c1c9e569fdb8130e1356e52915faa

Analysis

max time kernel
139s
max time network
144s
platform
windows7_x64
resource
win7
submitted
14/09/2020, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zupal32.bin.exe
Size

5.2MB
MD5

3ab9af930facd4f8d7e0d49bf7077034
SHA1

00d53122b01f8939369f90e8ecb4b560b4d5e4a2
SHA256

ade0d7fbdcb34d7cbd220beb9c3c2484f7ce05c11043bd5ed64df239f5039ba7
SHA512

376ed0d9bc696d6f1a10e2cb67f170870aff32aa6e3e4f6b5a5f4da85116afaa6b2e7b5e6652ca8361524ebf55effe7394bc888d674afc3d99b7745476129633

Score

1^/10

Malware Config

Signatures

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1696	Systeminfo.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1696	1316	zupal32.bin.exe	25
PID 1316 wrote to memory of 1696	1316	zupal32.bin.exe	25
PID 1316 wrote to memory of 1696	1316	zupal32.bin.exe	25
PID 1316 wrote to memory of 1696	1316	zupal32.bin.exe	25

C:\Users\Admin\AppData\Local\Temp\zupal32.bin.exe
"C:\Users\Admin\AppData\Local\Temp\zupal32.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\Systeminfo.exe
  Systeminfo
  2⤵
  - Gathers system information
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1316-0-0x0000000000400000-0x0000000000957000-memory.dmp

Filesize
5.3MB

Download