Overview

overview

10

Static

static

10

7eeb07b3e0...b8.exe

windows7-x64

8

7eeb07b3e0...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2022 18:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe

  • Size

    21KB

  • MD5

    a3ec315f74f4eb882253bb147a4ab410

  • SHA1

    02bff27c982f24e7472df1c0284dfb1e46a2cc3c

  • SHA256

    7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8

  • SHA512

    a5349e7e2b12608114297bb35820c52198bb1631d8293483f410a0a24be6a14a8adde230814e6cf071e7d026fcd7595f470440c4eacc625b3722a2a4542fbcdb

  • SSDEEP

    384:7rwgu4oJuTJj+XZ9Y9qkyUI07jn6qq9fUaIfqfxWkqxrF6ZlvH38R0VKRxxxxxb0:HaJU+Je9Lwjn9fU7q55AQDHr7V

Score
8/10
persistenceupx

Malware Config

Signatures

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 13 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 13 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
    "C:\Users\Admin\AppData\Local\Temp\7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
      "C:\Users\Admin\AppData\Local\Temp\7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe" n2016
      2⤵
        PID:1896
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
          PID:828
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Loads dropped DLL
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 4E71245EE7DB294DC44791D7C7CF6289
          2⤵
          • Loads dropped DLL
          PID:1316
        • C:\Windows\system32\MsiExec.exe
          C:\Windows\system32\MsiExec.exe -Embedding CE128CB7DB3CC02085AA43DC5F235964
          2⤵
          • Loads dropped DLL
          PID:1944

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\desktop.ini
        Filesize

        356B

        MD5

        06ab8d1d1da7a5c3f36d955a238f7829

        SHA1

        9556cd2a4c6570028811f7ed31e7ceba6f52739a

        SHA256

        e71fbc57599d46bbf5f5a021dc1fe0ebb09efb1ca596295f72c20ba7b2f5dabb

        SHA512

        20898ef74a0c5cf2940bc63fe0df636eb26f3866e8e96394ed13ee0fd2f69e83c111b605987b8102b52d1207bc7968166dc091c4d3093f0b7f1d63ff885398dc

        Download Submit
      • C:\Windows\Installer\MSI72E4.tmp
        Filesize

        28KB

        MD5

        85221b3bcba8dbe4b4a46581aa49f760

        SHA1

        746645c92594bfc739f77812d67cfd85f4b92474

        SHA256

        f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

        SHA512

        060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

        Download Submit
      • C:\Windows\Installer\MSI740E.tmp
        Filesize

        148KB

        MD5

        33908aa43ac0aaabc06a58d51b1c2cca

        SHA1

        0a0d1ce3435abe2eed635481bac69e1999031291

        SHA256

        4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783

        SHA512

        d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

        Download Submit
      • C:\Windows\Installer\MSI7798.tmp
        Filesize

        363KB

        MD5

        4a843a97ae51c310b573a02ffd2a0e8e

        SHA1

        063fa914ccb07249123c0d5f4595935487635b20

        SHA256

        727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

        SHA512

        905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

        Download Submit
      • C:\Windows\Installer\MSI79EA.tmp
        Filesize

        86KB

        MD5

        ff58cd07bf4913ef899efd2dfb112553

        SHA1

        f14c1681de808543071602f17a6299f8b4ba2ae8

        SHA256

        1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391

        SHA512

        23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

        Download Submit
      • C:\Windows\Installer\MSIEDAA.tmp
        Filesize

        257KB

        MD5

        d1f5ce6b23351677e54a245f46a9f8d2

        SHA1

        0d5c6749401248284767f16df92b726e727718ca

        SHA256

        57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

        SHA512

        960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

        Download Submit
      • C:\Windows\Installer\MSIF874.tmp
        Filesize

        363KB

        MD5

        4a843a97ae51c310b573a02ffd2a0e8e

        SHA1

        063fa914ccb07249123c0d5f4595935487635b20

        SHA256

        727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

        SHA512

        905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

        Download Submit
      • C:\Windows\Installer\MSIF950.tmp
        Filesize

        363KB

        MD5

        4a843a97ae51c310b573a02ffd2a0e8e

        SHA1

        063fa914ccb07249123c0d5f4595935487635b20

        SHA256

        727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

        SHA512

        905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

        Download Submit
      • C:\Windows\Installer\MSIFC3D.tmp
        Filesize

        257KB

        MD5

        d1f5ce6b23351677e54a245f46a9f8d2

        SHA1

        0d5c6749401248284767f16df92b726e727718ca

        SHA256

        57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

        SHA512

        960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

        Download Submit
      • \Program Files\Microsoft Office\Office14\VISSHE.DLL
        Filesize

        953KB

        MD5

        2f4759c23abcd639ac3ca7f8fa9480ac

        SHA1

        9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

        SHA256

        6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

        SHA512

        6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

        Download Submit
      • \Program Files\Microsoft Office\Office14\VISSHE.DLL
        Filesize

        953KB

        MD5

        2f4759c23abcd639ac3ca7f8fa9480ac

        SHA1

        9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

        SHA256

        6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

        SHA512

        6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

        Download Submit
      • \Windows\Installer\MSI72E4.tmp
        Filesize

        28KB

        MD5

        85221b3bcba8dbe4b4a46581aa49f760

        SHA1

        746645c92594bfc739f77812d67cfd85f4b92474

        SHA256

        f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

        SHA512

        060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

        Download Submit
      • \Windows\Installer\MSI740E.tmp
        Filesize

        148KB

        MD5

        33908aa43ac0aaabc06a58d51b1c2cca

        SHA1

        0a0d1ce3435abe2eed635481bac69e1999031291

        SHA256

        4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783

        SHA512

        d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

        Download Submit
      • \Windows\Installer\MSI7798.tmp
        Filesize

        363KB

        MD5

        4a843a97ae51c310b573a02ffd2a0e8e

        SHA1

        063fa914ccb07249123c0d5f4595935487635b20

        SHA256

        727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

        SHA512

        905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

        Download Submit
      • \Windows\Installer\MSI79EA.tmp
        Filesize

        86KB

        MD5

        ff58cd07bf4913ef899efd2dfb112553

        SHA1

        f14c1681de808543071602f17a6299f8b4ba2ae8

        SHA256

        1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391

        SHA512

        23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

        Download Submit
      • \Windows\Installer\MSIEDAA.tmp
        Filesize

        257KB

        MD5

        d1f5ce6b23351677e54a245f46a9f8d2

        SHA1

        0d5c6749401248284767f16df92b726e727718ca

        SHA256

        57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

        SHA512

        960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

        Download Submit
      • \Windows\Installer\MSIF874.tmp
        Filesize

        363KB

        MD5

        4a843a97ae51c310b573a02ffd2a0e8e

        SHA1

        063fa914ccb07249123c0d5f4595935487635b20

        SHA256

        727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

        SHA512

        905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

        Download Submit
      • \Windows\Installer\MSIF950.tmp
        Filesize

        363KB

        MD5

        4a843a97ae51c310b573a02ffd2a0e8e

        SHA1

        063fa914ccb07249123c0d5f4595935487635b20

        SHA256

        727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

        SHA512

        905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

        Download Submit
      • \Windows\Installer\MSIFC3D.tmp
        Filesize

        257KB

        MD5

        d1f5ce6b23351677e54a245f46a9f8d2

        SHA1

        0d5c6749401248284767f16df92b726e727718ca

        SHA256

        57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

        SHA512

        960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

        Download Submit
      • memory/828-56-0x0000000000000000-mapping.dmp
        Download
      • memory/1316-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1716-62-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1896-60-0x0000000000400000-0x000000000041F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1896-59-0x0000000000400000-0x000000000041F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1944-81-0x0000000000000000-mapping.dmp
        Download
      • memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2016-61-0x0000000000400000-0x000000000041F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/2016-55-0x0000000000400000-0x000000000041F000-memory.dmp
        Filesize

        124KB

        Download