Overview

overview

10

Static

static

8

eb031f364f...f4.exe

windows7-x64

10

eb031f364f...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 13:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe

  • Size

    20KB

  • MD5

    f484c63d37b4bae82e9234175a9185e7

  • SHA1

    9fc47f0336a530b7234deb6a1cb8312501aee398

  • SHA256

    eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4

  • SHA512

    e7938fb2a0c6d86483a9e59f0e3e3ceda6895e517738d0c4bfb999eb5e4de00f2b4ca347721d8cd513b2c3b70dd233d86ac2ba139f39da81d5cfa0526240d0dc

  • SSDEEP

    384:1dvTbdBkQQlBNzawKN2SrZ5XMm22clzY9bjzFRBp6YFubsI3eLGvm:1d7bdjOpabwSraPYr2EIuLw

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe
        "C:\Users\Admin\AppData\Local\Temp\eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe"
        2⤵
        • Modifies firewall policy service
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Windows\winrst.exe
          "C:\Windows\winrst.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2036

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\winrst.exe
      Filesize

      20KB

      MD5

      f484c63d37b4bae82e9234175a9185e7

      SHA1

      9fc47f0336a530b7234deb6a1cb8312501aee398

      SHA256

      eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4

      SHA512

      e7938fb2a0c6d86483a9e59f0e3e3ceda6895e517738d0c4bfb999eb5e4de00f2b4ca347721d8cd513b2c3b70dd233d86ac2ba139f39da81d5cfa0526240d0dc

      Download Submit

    • memory/1952-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1952-57-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1952-58-0x0000000000460000-0x00000000004B4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1952-60-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2036-55-0x0000000000000000-mapping.dmp

      Download

    • memory/2036-59-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2036-62-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download