Overview

overview

8

Static

static

1eeb1f73c3...34.exe

windows7-x64

1

1eeb1f73c3...34.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    178s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2022 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1eeb1f73c3c15f7255a770536136dc4444bfbc4d0d7e06b896c5814f4a235434.exe

  • Size

    388KB

  • MD5

    0cd2b3621c8782115d942a9f00f7dc70

  • SHA1

    2b21e933cbfba91c915e5bf9810cf94885ef98b7

  • SHA256

    1eeb1f73c3c15f7255a770536136dc4444bfbc4d0d7e06b896c5814f4a235434

  • SHA512

    7908de56ac9ebbf3033f24b5b6007390226507740b63ab63d6b8ef4ba6c1ec403ad44d2ca8e200c24111ec8b2eb8300ca51a4e4a95489208c0a81977b7ee5f2a

  • SSDEEP

    6144:byhgVul9G+LqDxK1THj/i/4Alt1yZmak1l70RD9vUPszhma6Use+ntZ:byhgUe+LRHj/Q/t1y0QMPsdmHHD

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1eeb1f73c3c15f7255a770536136dc4444bfbc4d0d7e06b896c5814f4a235434.exe
    "C:\Users\Admin\AppData\Local\Temp\1eeb1f73c3c15f7255a770536136dc4444bfbc4d0d7e06b896c5814f4a235434.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\ProgramData\lA06504AlIfA06504\lA06504AlIfA06504.exe
      "C:\ProgramData\lA06504AlIfA06504\lA06504AlIfA06504.exe" "C:\Users\Admin\AppData\Local\Temp\1eeb1f73c3c15f7255a770536136dc4444bfbc4d0d7e06b896c5814f4a235434.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4476

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\lA06504AlIfA06504\lA06504AlIfA06504.exe
    Filesize

    388KB

    MD5

    99e33f4372db9c82f288e79ad606f66f

    SHA1

    bc0561f517d94e4b260786d1da39f5b5a2ddd0eb

    SHA256

    cf9f8d2351f0326422bb1cfa4a37738805ae8ffe41652928081c3e3f588c2547

    SHA512

    9aa024438977d5d085ac0cfb01b983c25c96e77a738351610e68f1c1daf4604a057dff762b2a83b98f6cf52141e655ebfd43742988fc98bfe7c6190c411a470e

    Download Submit

  • C:\ProgramData\lA06504AlIfA06504\lA06504AlIfA06504.exe
    Filesize

    388KB

    MD5

    99e33f4372db9c82f288e79ad606f66f

    SHA1

    bc0561f517d94e4b260786d1da39f5b5a2ddd0eb

    SHA256

    cf9f8d2351f0326422bb1cfa4a37738805ae8ffe41652928081c3e3f588c2547

    SHA512

    9aa024438977d5d085ac0cfb01b983c25c96e77a738351610e68f1c1daf4604a057dff762b2a83b98f6cf52141e655ebfd43742988fc98bfe7c6190c411a470e

    Download Submit

  • memory/2200-135-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/4476-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4476-136-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download