Overview

overview

8

Static

static

eaee5c8cee...4b.exe

windows7-x64

8

eaee5c8cee...4b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2022 23:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eaee5c8cee15632c06618262b7c8611afb3693bafddc2a29f40f70cccd76614b.exe

  • Size

    572KB

  • MD5

    455e9f029f5f2fbd8789fc271e5123a0

  • SHA1

    a788711a4039f94e1ac2c20687330edcf02461c5

  • SHA256

    eaee5c8cee15632c06618262b7c8611afb3693bafddc2a29f40f70cccd76614b

  • SHA512

    d0a1d4d69be3994802b435a12ff874573cf452035a59521ae865e9329739a187d118123d7529104d09839a071f086a6a9df2cbad85113bf99cc3abbb8b18add5

  • SSDEEP

    12288:j0/zSknQPmbFlXTPhvHA7azeJrk8h2RvLaB:RqbFR9A7aCDh+eB

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eaee5c8cee15632c06618262b7c8611afb3693bafddc2a29f40f70cccd76614b.exe
    "C:\Users\Admin\AppData\Local\Temp\eaee5c8cee15632c06618262b7c8611afb3693bafddc2a29f40f70cccd76614b.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\sysmgr.exe
      "C:\Windows\sysmgr.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in Program Files directory
      • Drops file in Windows directory
      PID:1776
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x1ec
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1312

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svc.dat
    Filesize

    2KB

    MD5

    862575e1aea8dfd7653f798f234bf1d8

    SHA1

    a1a195ba3c0dd998fa5d0c91093b9a3ca0a3f94e

    SHA256

    05f9acca749000561f436c3df79ea15b89f07ca0b58068add82daae1b0bfd885

    SHA512

    4ad230ba77d17b7a18a20986545fce6d5976e462b22b723379fc6052af059fb5cd2fb80fcaae55df2844babc3927aeb3cbf42b493098ad701d6c4f316b21317e

    Download Submit

  • C:\Windows\sysmgr.exe
    Filesize

    36KB

    MD5

    2373dfbdba70b54164d4fe163f7f59f1

    SHA1

    fbc51778f9e4868ddce4763d0bef4cb48090e3f6

    SHA256

    e506e529d2d1d80ba433d4dec9fcbf07506112c8d0a130bed322f03346640456

    SHA512

    32e48c596def05ddd1c987ae54cb069f750e0e4a993aa9f5c1d69e11c49ca90f6d324dfb4fa7c29c7d642eb2d939b2efe9332e0f4f4cbc5a0b2893adbf8598ec

    Download Submit

  • C:\Windows\sysmgr.exe
    Filesize

    36KB

    MD5

    2373dfbdba70b54164d4fe163f7f59f1

    SHA1

    fbc51778f9e4868ddce4763d0bef4cb48090e3f6

    SHA256

    e506e529d2d1d80ba433d4dec9fcbf07506112c8d0a130bed322f03346640456

    SHA512

    32e48c596def05ddd1c987ae54cb069f750e0e4a993aa9f5c1d69e11c49ca90f6d324dfb4fa7c29c7d642eb2d939b2efe9332e0f4f4cbc5a0b2893adbf8598ec

    Download Submit

  • memory/1776-55-0x0000000000000000-mapping.dmp

    Download

  • memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2036-59-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2036-60-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download