64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681

Analysis

max time kernel
180s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
Size

353KB
MD5

01a300ccb41a2b9e76015837b53a73c6
SHA1

877caba877fc9ac427696f92aed8b0ea7fab479c
SHA256

64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681
SHA512

274a12fdf2c47edd47695bc3b54060a2740ac2834c81272c5442ce374d82c38016f4e5f69178b62205e9209404c6ac657e31ead9c3d933eac6cbf00ae48c01da
SSDEEP

6144:iiHQen8YJ6CHI4KpJlGNvRzS/TTmZRzSqcTTmZRzSqsjrpOA5MIg9:1wenHJFcJlQvRzS7iZRzSZiZRzSNr3g9

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/768-54-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/768-55-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\ehvid.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\WTVConverter.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\mcspad.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\McxTask.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\ehrec.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\Mcx2Prov.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\bfsvc.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\ehmsas.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\ehprivjob.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\explorer.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\CreateDisc\SBEServer.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\HelpPane.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\ehexthost.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\wow\ehexthost32.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Boot\PCAT\memtest.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\ehrecvr.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\loadmxf.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\ehome\mcGlidHost.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\hh.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe

C:\Users\Admin\AppData\Local\Temp\64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe
"C:\Users\Admin\AppData\Local\Temp\64e487f2e3b549811f422df96002a734b997a608fa2dcfb1a3856f829d1e7681.exe"
1⤵
- Drops file in Windows directory
PID:768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/768-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/768-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads