e64b88e64954b01b43964a3913adab7f0b6e1605492da920e1ad300a7158c423

Analysis

max time kernel
149s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
30-10-2020 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ez Dork Gen DELUXE.exe
Size

1.2MB
MD5

89fffdc32e34b6239d4dcc7ddd8f8fc2
SHA1

a33a1787b8a8768c421ba454b266925128f37818
SHA256

e64b88e64954b01b43964a3913adab7f0b6e1605492da920e1ad300a7158c423
SHA512

ed7fd226cd2e0eabcbc16408d996a84e16d8ed03f97833c56c9939db2512e115806e8027dfd67323b72af3b9058a08c9efee3f9f3b44cc888c348e379c00e40c

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

TempSetup.exe~Ez_Dork_Gen_DELUXE.exeSetup.exesvchost.exesvchost.exeexplorer.exeexplorer.exe

pid process

2732 TempSetup.exe
2792 ~Ez_Dork_Gen_DELUXE.exe
3124 Setup.exe
1436 svchost.exe
1320 svchost.exe
1872 explorer.exe
2844 explorer.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2732	TempSetup.exe
2792	~Ez_Dork_Gen_DELUXE.exe
3124	Setup.exe
1436	svchost.exe
1320	svchost.exe
1872	explorer.exe
2844	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exeSetup.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel(R) Common Manager Security = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel(R) Common Manager Security = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel(R) Common Networking System = "C:\\Users\\Admin\\AppData\\Roaming\\Intel Corporation\\Intel(R) Common User Interface\\8.1.1.7900\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel(R) Common User Networking = "C:\\Users\\Admin\\AppData\\Roaming\\Intel Corporation\\Intel(R) Common User Interface\\8.1.1.7900\\explorer.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 2 IoCs

Processes:

Setup.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini Setup.exe
File opened for modification C:\Windows\assembly\Desktop.ini Setup.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Drops file in Windows directory 3 IoCs

Processes:

Setup.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	Setup.exe
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

explorer.exe

pid	process
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeDebugPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe
Token: 33	2844	explorer.exe
Token: SeIncBasePriorityPrivilege	2844	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Ez Dork Gen DELUXE.exeTempSetup.exeSetup.exesvchost.exesvchost.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 648 wrote to memory of 2732	648	Ez Dork Gen DELUXE.exe	TempSetup.exe
PID 648 wrote to memory of 2732	648	Ez Dork Gen DELUXE.exe	TempSetup.exe
PID 648 wrote to memory of 2732	648	Ez Dork Gen DELUXE.exe	TempSetup.exe
PID 648 wrote to memory of 2792	648	Ez Dork Gen DELUXE.exe	~Ez_Dork_Gen_DELUXE.exe
PID 648 wrote to memory of 2792	648	Ez Dork Gen DELUXE.exe	~Ez_Dork_Gen_DELUXE.exe
PID 2732 wrote to memory of 3124	2732	TempSetup.exe	Setup.exe
PID 2732 wrote to memory of 3124	2732	TempSetup.exe	Setup.exe
PID 3124 wrote to memory of 1436	3124	Setup.exe	svchost.exe
PID 3124 wrote to memory of 1436	3124	Setup.exe	svchost.exe
PID 3124 wrote to memory of 1436	3124	Setup.exe	svchost.exe
PID 1436 wrote to memory of 1320	1436	svchost.exe	svchost.exe
PID 1436 wrote to memory of 1320	1436	svchost.exe	svchost.exe
PID 1320 wrote to memory of 1872	1320	svchost.exe	explorer.exe
PID 1320 wrote to memory of 1872	1320	svchost.exe	explorer.exe
PID 1872 wrote to memory of 2844	1872	explorer.exe	explorer.exe
PID 1872 wrote to memory of 2844	1872	explorer.exe	explorer.exe
PID 2844 wrote to memory of 1440	2844	explorer.exe	netsh.exe
PID 2844 wrote to memory of 1440	2844	explorer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Ez Dork Gen DELUXE.exe
"C:\Users\Admin\AppData\Local\Temp\Ez Dork Gen DELUXE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\TempSetup.exe
"C:\Users\Admin\AppData\Local\TempSetup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\Setup.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\Setup.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe
"C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe
"C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
8⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\~Ez_Dork_Gen_DELUXE.exe
"C:\Users\Admin\AppData\Local\Temp\~Ez_Dork_Gen_DELUXE.exe"
2⤵
- Executes dropped EXE
PID:2792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempSetup.exe

MD5
8cda5c66b6f92209c94ae927be3d895f

SHA1
beb062bbdaeb180c8438f0762eddfeb59609fc02

SHA256
71520637e17ca9034beec82a6c5fe21a0907e2fa8cdb376213e80535f41de6e4

SHA512
c1b71e46c5a52c037a055aa7de1d16e6542e86d75751d2e26fc248875086745934493aa7a06c6faeed378006f5db13e62377ff6dfa85e9d1e215f5a6ab600436

Download Submit
C:\Users\Admin\AppData\Local\TempSetup.exe

MD5
8cda5c66b6f92209c94ae927be3d895f

SHA1
beb062bbdaeb180c8438f0762eddfeb59609fc02

SHA256
71520637e17ca9034beec82a6c5fe21a0907e2fa8cdb376213e80535f41de6e4

SHA512
c1b71e46c5a52c037a055aa7de1d16e6542e86d75751d2e26fc248875086745934493aa7a06c6faeed378006f5db13e62377ff6dfa85e9d1e215f5a6ab600436

Download Submit
C:\Users\Admin\AppData\Local\Temp\~Ez_Dork_Gen_DELUXE.exe

MD5
804cc6ded884925885f409a88e7244d0

SHA1
ff29d809529b139c142fff0bc52c42bac4929e72

SHA256
a60187fe7b2c794a2bc26d6eb86c4f292d2ed4c09871e14f661d8853eaa19ac4

SHA512
f394e50fded112f90b8d771acd0d7cb8e82a2dc40fff1f6745cda00d955147830d2fb2de23e4dd131875ca7a7c0284779d8c2925f29ebab3c3eb1a49d5c57953

Download Submit
C:\Users\Admin\AppData\Local\Temp\~Ez_Dork_Gen_DELUXE.exe

MD5
804cc6ded884925885f409a88e7244d0

SHA1
ff29d809529b139c142fff0bc52c42bac4929e72

SHA256
a60187fe7b2c794a2bc26d6eb86c4f292d2ed4c09871e14f661d8853eaa19ac4

SHA512
f394e50fded112f90b8d771acd0d7cb8e82a2dc40fff1f6745cda00d955147830d2fb2de23e4dd131875ca7a7c0284779d8c2925f29ebab3c3eb1a49d5c57953

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe

MD5
c699563104a684e0a51ce7b713f9d02a

SHA1
ee434826f3a7a79011fe66971bee9ef99c86805b

SHA256
37ade920ae2731e64cc72f6fbb59c0f6fcfb6e7c5099fea4b4da5a946e823f6c

SHA512
a29799d65d9c14bf65a93705f7cdee0b66c44dff386bb579ecda18a2dad6c99d575ac773977fd4c72c6045f980a8fe92e768f4689d4003314184eae3e053589a

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe

MD5
c699563104a684e0a51ce7b713f9d02a

SHA1
ee434826f3a7a79011fe66971bee9ef99c86805b

SHA256
37ade920ae2731e64cc72f6fbb59c0f6fcfb6e7c5099fea4b4da5a946e823f6c

SHA512
a29799d65d9c14bf65a93705f7cdee0b66c44dff386bb579ecda18a2dad6c99d575ac773977fd4c72c6045f980a8fe92e768f4689d4003314184eae3e053589a

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe

MD5
769c40e5c372c2dd21a3f472fff8d7e2

SHA1
7cc1caf7312dd4e6d5abf74f2060f578abab0821

SHA256
74439b22002f86bd45bca78cd5ebd578a8b17979ab73311182cce63573eacbe6

SHA512
6958838b35dee41fb702d679a195e9abfe0233644d4e73f2dedb2144b34470359ce6fb6c81506594d5339a524b01aa61755b82bdb1c850ceec8da6266fd3fc4a

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe

MD5
769c40e5c372c2dd21a3f472fff8d7e2

SHA1
7cc1caf7312dd4e6d5abf74f2060f578abab0821

SHA256
74439b22002f86bd45bca78cd5ebd578a8b17979ab73311182cce63573eacbe6

SHA512
6958838b35dee41fb702d679a195e9abfe0233644d4e73f2dedb2144b34470359ce6fb6c81506594d5339a524b01aa61755b82bdb1c850ceec8da6266fd3fc4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\Setup.exe

MD5
f64b69094e9cc63e63acec2be76bee4a

SHA1
186733004af7ce6770883c9f8a1d658cdff67804

SHA256
9c7ddac49954d267fe6ab5653bc1020c1058c216b6bcab6b6298333c8940988c

SHA512
2872845d0a6a13895daac078b6f76413fd1f3ce68cade3de7d04d89168136153df28cc75bdea147d8f6cb29ecf82d255fd3f13cab14fb821a0b5549128660922

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\Setup.exe

MD5
f64b69094e9cc63e63acec2be76bee4a

SHA1
186733004af7ce6770883c9f8a1d658cdff67804

SHA256
9c7ddac49954d267fe6ab5653bc1020c1058c216b6bcab6b6298333c8940988c

SHA512
2872845d0a6a13895daac078b6f76413fd1f3ce68cade3de7d04d89168136153df28cc75bdea147d8f6cb29ecf82d255fd3f13cab14fb821a0b5549128660922

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe

MD5
e57116b451a51b5df2bf18fbed325ec9

SHA1
246f02ebe5db0a117b74505173b7af84b7b22a2f

SHA256
f9259324de42908849269f679c87cc0ef8096c30d854a72ee57b57e9bb8b59f7

SHA512
1ecaa07b459d335fe108b3dceff1392d37be7814a58e5a30a42bae305c75bc8a3c8c1dbdd313f5276f5a46ec8a4d0409fb918ea966aff58b200e94e2a5a02f73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe

MD5
e57116b451a51b5df2bf18fbed325ec9

SHA1
246f02ebe5db0a117b74505173b7af84b7b22a2f

SHA256
f9259324de42908849269f679c87cc0ef8096c30d854a72ee57b57e9bb8b59f7

SHA512
1ecaa07b459d335fe108b3dceff1392d37be7814a58e5a30a42bae305c75bc8a3c8c1dbdd313f5276f5a46ec8a4d0409fb918ea966aff58b200e94e2a5a02f73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
c699563104a684e0a51ce7b713f9d02a

SHA1
ee434826f3a7a79011fe66971bee9ef99c86805b

SHA256
37ade920ae2731e64cc72f6fbb59c0f6fcfb6e7c5099fea4b4da5a946e823f6c

SHA512
a29799d65d9c14bf65a93705f7cdee0b66c44dff386bb579ecda18a2dad6c99d575ac773977fd4c72c6045f980a8fe92e768f4689d4003314184eae3e053589a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
c699563104a684e0a51ce7b713f9d02a

SHA1
ee434826f3a7a79011fe66971bee9ef99c86805b

SHA256
37ade920ae2731e64cc72f6fbb59c0f6fcfb6e7c5099fea4b4da5a946e823f6c

SHA512
a29799d65d9c14bf65a93705f7cdee0b66c44dff386bb579ecda18a2dad6c99d575ac773977fd4c72c6045f980a8fe92e768f4689d4003314184eae3e053589a

Download Submit
memory/648-0-0x00007FF99FCC0000-0x00007FF9A0660000-memory.dmp

Filesize
9.6MB

Download
memory/1320-15-0x0000000000000000-mapping.dmp

Download
memory/1320-18-0x00007FF99FCC0000-0x00007FF9A0660000-memory.dmp

Filesize
9.6MB

Download
memory/1436-12-0x0000000000000000-mapping.dmp

Download
memory/1440-27-0x0000000000000000-mapping.dmp

Download
memory/1872-22-0x00007FF99FCC0000-0x00007FF9A0660000-memory.dmp

Filesize
9.6MB

Download
memory/1872-19-0x0000000000000000-mapping.dmp

Download
memory/2732-1-0x0000000000000000-mapping.dmp

Download
memory/2792-6-0x00007FF99FCC0000-0x00007FF9A0660000-memory.dmp

Filesize
9.6MB

Download
memory/2792-3-0x0000000000000000-mapping.dmp

Download
memory/2844-23-0x0000000000000000-mapping.dmp

Download
memory/2844-26-0x00007FF99FCC0000-0x00007FF9A0660000-memory.dmp

Filesize
9.6MB

Download
memory/3124-8-0x0000000000000000-mapping.dmp

Download
memory/3124-11-0x00007FF99FCC0000-0x00007FF9A0660000-memory.dmp

Filesize
9.6MB

Download