Analysis
-
max time kernel
148s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
07/11/2022, 09:45
General
-
Target
e85927ba1fbf0b02f1357a785a45cefc3c0951481ac21236b9c9eafc6f494577.exe
-
Size
611KB
-
MD5
0f65683112b29dddd7d8a77e81263659
-
SHA1
ab4a271627ec25de0588f2e15baeed58e2135e2a
-
SHA256
e85927ba1fbf0b02f1357a785a45cefc3c0951481ac21236b9c9eafc6f494577
-
SHA512
450b65170d700d346296c6986481dc32e7a28a2b8de445d55d8c6bf4876f84d615ea61dc84c1348f7b74950ea5b476500f5efb841426ef022db4a61f92fab02b
-
SSDEEP
12288:95FWFWjCueWOPDbdvGm+hZRW+ibXG3mXAA4EG4yiCLT1:ZNeWqvf+vIbwmXJCl
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e85927ba1fbf0b02f1357a785a45cefc3c0951481ac21236b9c9eafc6f494577.exe"C:\Users\Admin\AppData\Local\Temp\e85927ba1fbf0b02f1357a785a45cefc3c0951481ac21236b9c9eafc6f494577.exe"1⤵
- Adds policy Run key to start application
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dciman32R.exeC:\Windows\SysWOW64\dciman32R.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe/c C:\Users\Admin\AppData\Local\Temp\~unins8795.bat "C:\Users\Admin\AppData\Local\Temp\e85927ba1fbf0b02f1357a785a45cefc3c0951481ac21236b9c9eafc6f494577.exe"2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49B
MD59e0a2f5ab30517809b95a1ff1dd98c53
SHA15c1eefdf10e67d1e9216e2e3f5e92352d583c9ce
SHA25697ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32
SHA512e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42
-
Filesize
170KB
MD51d96237e05f9915355cc3606cbb4efce
SHA1b2a16e7864511595290b363676112b2da1644f93
SHA256b45ddae776e1804b45c615abb3cbd809c7343b36ee735fa5200e4103e12f78b0
SHA512caf24dfcf3c43119242ae609cdaecb47fbe672c84dfd5447ca19696474714dec9a2f9ccb51ecd9588a65849a2ba4cfdcfda89c0bc7ca420b65515439c1fac504
-
Filesize
170KB
MD51d96237e05f9915355cc3606cbb4efce
SHA1b2a16e7864511595290b363676112b2da1644f93
SHA256b45ddae776e1804b45c615abb3cbd809c7343b36ee735fa5200e4103e12f78b0
SHA512caf24dfcf3c43119242ae609cdaecb47fbe672c84dfd5447ca19696474714dec9a2f9ccb51ecd9588a65849a2ba4cfdcfda89c0bc7ca420b65515439c1fac504
-
Filesize
170KB
MD51d96237e05f9915355cc3606cbb4efce
SHA1b2a16e7864511595290b363676112b2da1644f93
SHA256b45ddae776e1804b45c615abb3cbd809c7343b36ee735fa5200e4103e12f78b0
SHA512caf24dfcf3c43119242ae609cdaecb47fbe672c84dfd5447ca19696474714dec9a2f9ccb51ecd9588a65849a2ba4cfdcfda89c0bc7ca420b65515439c1fac504
-
Filesize
272KB
-
Filesize
424KB
-
Filesize
704KB
-
Filesize
284KB
-
Filesize
704KB
-
Filesize
8KB
-
Filesize
704KB
-
Filesize
424KB
-
Filesize
5.7MB
-
Filesize
5.7MB