Analysis
-
max time kernel
71s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
28-09-2020 06:18
General
-
Target
ezmvVCJt.exe
-
Size
276KB
-
MD5
0ee2f7d6a851faf44bf235186be91a19
-
SHA1
83ebbf632e25dbe69b060d190a42a5125ffe3902
-
SHA256
b64c40843b011d715c431b761680e8565383ac702f5ed80492fb30bd6aa33929
-
SHA512
4450f9169419cd502df259bd32c9e37a793db17d731d206e71ff61065cb0277917874bb7196672e6e5cab0d7ee1ee1103b018ae5e2e0ac917ecfd807db18368a
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 20 IoCs
-
Executes dropped EXE 5 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 946 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ezmvVCJt.exe"C:\Users\Admin\AppData\Local\Temp\ezmvVCJt.exe"2⤵
- Adds policy Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\SysWOW64\install\server.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\SysWOW64\install\server.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ezmvVCJt.exe"C:\Users\Admin\AppData\Local\Temp\ezmvVCJt.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
29b6760eef1d20129c0d6acc40debe58
SHA1d86a470b9bead900ce444fd6b2a21d2616659d4b
SHA2560b921f97b45f298e80e824256af4a1f51955af281ceb4e9a9a241692106672c3
SHA51286744029ebc904385da8bcc8409e4bcb1d3055b049e1525b8bbefafd8b998fba767c50aa11665ef4e768bc5b3b8c2d5c53262aac68290a1371b277d3194913db
-
MD5
29b6760eef1d20129c0d6acc40debe58
SHA1d86a470b9bead900ce444fd6b2a21d2616659d4b
SHA2560b921f97b45f298e80e824256af4a1f51955af281ceb4e9a9a241692106672c3
SHA51286744029ebc904385da8bcc8409e4bcb1d3055b049e1525b8bbefafd8b998fba767c50aa11665ef4e768bc5b3b8c2d5c53262aac68290a1371b277d3194913db
-
MD5
eb1d6b8ed9e5e52ca66e8c42fffceb3b
SHA158c8a88b46f06272d164c16c54c251b506da9c6f
SHA256522a33d3491671409a571f49524c48679e256b7dff7039f0c524466567008ea9
SHA512d573eab790ce19432cb9ab4b146d5c3b62ad877015032e24f1cb3b651f3891aa66d44536cf2db674f8797610b71442b55935d0af415ffc65e160cca6cf940a7c
-
MD5
0ee2f7d6a851faf44bf235186be91a19
SHA183ebbf632e25dbe69b060d190a42a5125ffe3902
SHA256b64c40843b011d715c431b761680e8565383ac702f5ed80492fb30bd6aa33929
SHA5124450f9169419cd502df259bd32c9e37a793db17d731d206e71ff61065cb0277917874bb7196672e6e5cab0d7ee1ee1103b018ae5e2e0ac917ecfd807db18368a
-
MD5
0ee2f7d6a851faf44bf235186be91a19
SHA183ebbf632e25dbe69b060d190a42a5125ffe3902
SHA256b64c40843b011d715c431b761680e8565383ac702f5ed80492fb30bd6aa33929
SHA5124450f9169419cd502df259bd32c9e37a793db17d731d206e71ff61065cb0277917874bb7196672e6e5cab0d7ee1ee1103b018ae5e2e0ac917ecfd807db18368a
-
MD5
0ee2f7d6a851faf44bf235186be91a19
SHA183ebbf632e25dbe69b060d190a42a5125ffe3902
SHA256b64c40843b011d715c431b761680e8565383ac702f5ed80492fb30bd6aa33929
SHA5124450f9169419cd502df259bd32c9e37a793db17d731d206e71ff61065cb0277917874bb7196672e6e5cab0d7ee1ee1103b018ae5e2e0ac917ecfd807db18368a
-
MD5
0ee2f7d6a851faf44bf235186be91a19
SHA183ebbf632e25dbe69b060d190a42a5125ffe3902
SHA256b64c40843b011d715c431b761680e8565383ac702f5ed80492fb30bd6aa33929
SHA5124450f9169419cd502df259bd32c9e37a793db17d731d206e71ff61065cb0277917874bb7196672e6e5cab0d7ee1ee1103b018ae5e2e0ac917ecfd807db18368a
-
MD5
0ee2f7d6a851faf44bf235186be91a19
SHA183ebbf632e25dbe69b060d190a42a5125ffe3902
SHA256b64c40843b011d715c431b761680e8565383ac702f5ed80492fb30bd6aa33929
SHA5124450f9169419cd502df259bd32c9e37a793db17d731d206e71ff61065cb0277917874bb7196672e6e5cab0d7ee1ee1103b018ae5e2e0ac917ecfd807db18368a
-
MD5
0ee2f7d6a851faf44bf235186be91a19
SHA183ebbf632e25dbe69b060d190a42a5125ffe3902
SHA256b64c40843b011d715c431b761680e8565383ac702f5ed80492fb30bd6aa33929
SHA5124450f9169419cd502df259bd32c9e37a793db17d731d206e71ff61065cb0277917874bb7196672e6e5cab0d7ee1ee1103b018ae5e2e0ac917ecfd807db18368a
-
MD5
0ee2f7d6a851faf44bf235186be91a19
SHA183ebbf632e25dbe69b060d190a42a5125ffe3902
SHA256b64c40843b011d715c431b761680e8565383ac702f5ed80492fb30bd6aa33929
SHA5124450f9169419cd502df259bd32c9e37a793db17d731d206e71ff61065cb0277917874bb7196672e6e5cab0d7ee1ee1103b018ae5e2e0ac917ecfd807db18368a
-
Filesize
392KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
392KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
392KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
-