Overview

overview

8

Static

static

8

ezmvVCJt.exe

windows7_x64

8

ezmvVCJt.exe

windows10_x64

8

Analysis

  • max time kernel
    71s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    28-09-2020 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ezmvVCJt.exe

  • Size

    276KB

  • MD5

    0ee2f7d6a851faf44bf235186be91a19

  • SHA1

    83ebbf632e25dbe69b060d190a42a5125ffe3902

  • SHA256

    b64c40843b011d715c431b761680e8565383ac702f5ed80492fb30bd6aa33929

  • SHA512

    4450f9169419cd502df259bd32c9e37a793db17d731d206e71ff61065cb0277917874bb7196672e6e5cab0d7ee1ee1103b018ae5e2e0ac917ecfd807db18368a

Score
8/10
persistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 20 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 946 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2968
      • C:\Users\Admin\AppData\Local\Temp\ezmvVCJt.exe
        "C:\Users\Admin\AppData\Local\Temp\ezmvVCJt.exe"
        2⤵
        • Adds policy Run key to start application
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:732
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Adds policy Run key to start application
          PID:3920
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            PID:2952
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
                PID:3332
              • C:\Windows\SysWOW64\install\server.exe
                "C:\Windows\SysWOW64\install\server.exe"
                5⤵
                • Executes dropped EXE
                PID:3824
            • C:\Windows\SysWOW64\install\server.exe
              "C:\Windows\system32\install\server.exe"
              4⤵
              • Adds policy Run key to start application
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              PID:1072
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                  PID:1576
                • C:\Windows\SysWOW64\install\server.exe
                  "C:\Windows\SysWOW64\install\server.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:3776
              • C:\Windows\SysWOW64\install\server.exe
                "C:\Windows\system32\install\server.exe"
                4⤵
                • Adds policy Run key to start application
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                PID:1588
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              3⤵
                PID:2252
              • C:\Users\Admin\AppData\Local\Temp\ezmvVCJt.exe
                "C:\Users\Admin\AppData\Local\Temp\ezmvVCJt.exe"
                3⤵
                  PID:2080

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/732-0-0x0000000024010000-0x0000000024072000-memory.dmp

              Filesize

              392KB

              Download

            • memory/2080-238-0x0000000024160000-0x00000000241C2000-memory.dmp

              Filesize

              392KB

              Download

            • memory/3920-78-0x0000000024080000-0x00000000240E2000-memory.dmp

              Filesize

              392KB

              Download

            • memory/3920-4-0x00000000035A0000-0x00000000035A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3920-2-0x00000000034E0000-0x00000000034E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3920-76-0x0000000005E60000-0x0000000005E61000-memory.dmp

              Filesize

              4KB

              Download