Overview

overview

8

Static

static

ed6b989816...39.exe

windows7-x64

8

ed6b989816...39.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    27s
  • max time network
    3s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2022 21:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed6b989816f760553406d40d1d707564d1108a7b1e40dd259986e221cd6ce539.exe

  • Size

    404KB

  • MD5

    0c92b8f9d2b6669fc927f6dd01d58b1d

  • SHA1

    cea00b2aa6424a7373c6aba58e2a75fb4d8b40ed

  • SHA256

    ed6b989816f760553406d40d1d707564d1108a7b1e40dd259986e221cd6ce539

  • SHA512

    68f7d36b9b9c4ca7c2d5190b00eef360cd864707a1fc1a1437a2cf25eef2fa14fefe4bbaa09d767cc00bfd5a75f0cf05b6aae0fe2583669d2cfda1e8c515df60

  • SSDEEP

    6144:j2gwBlB8an7MrQYbUc6THBuTq7KvxgCoZ7WWlqwncr+wBdF7bDJG:662HYH6TBMq7KvxhoZC8n0+wBdFP1G

Score
8/10
persistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed6b989816f760553406d40d1d707564d1108a7b1e40dd259986e221cd6ce539.exe
    "C:\Users\Admin\AppData\Local\Temp\ed6b989816f760553406d40d1d707564d1108a7b1e40dd259986e221cd6ce539.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\ed6b989816f760553406d40d1d707564d1108a7b1e40dd259986e221cd6ce539.exe
      C:\Users\Admin\AppData\Local\Temp\ed6b989816f760553406d40d1d707564d1108a7b1e40dd259986e221cd6ce539.exe
      2⤵
      • Adds policy Run key to start application
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:4280
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
          PID:4808

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1992-132-0x0000000000400000-0x000000000044F000-memory.dmp

      Filesize

      316KB

      Download

    • memory/1992-133-0x0000000000030000-0x0000000000033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1992-141-0x0000000000400000-0x000000000044F000-memory.dmp

      Filesize

      316KB

      Download

    • memory/4280-139-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4280-140-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4280-137-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4280-136-0x0000000000000000-mapping.dmp

      Download

    • memory/4280-142-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4280-144-0x0000000010410000-0x0000000010471000-memory.dmp

      Filesize

      388KB

      Download

    • memory/4808-148-0x0000000000000000-mapping.dmp

      Download