Overview

overview

8

Static

static

393c6465eb...e2.exe

windows7-x64

8

393c6465eb...e2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    171s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 23:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    393c6465eb89e45946368c282c09b4f5b9ec05da804769f301e850c312f43be2.exe

  • Size

    448KB

  • MD5

    43ba3d2e1957f7115ecfe75547119f28

  • SHA1

    cfe31320142a3a0fcc000511ca0a9b79376fa1f9

  • SHA256

    393c6465eb89e45946368c282c09b4f5b9ec05da804769f301e850c312f43be2

  • SHA512

    fc44bf6509998775c2caa164422d7977156015117c6ab7022b1d40e27e7606e395d10c431f5d9fdc2c31905fa9e487c5645c76d646b59b6e7a018eb9503fd5af

  • SSDEEP

    6144:uZgzwDoKxS+xxKP5sTyP3x/YPvIfSSf64My+rFkzFucT+IfBPnjYwBLM8Ljr3Ane:tLkWP3x/gYSsoZkzFu6tp0jcjr3

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\393c6465eb89e45946368c282c09b4f5b9ec05da804769f301e850c312f43be2.exe
    "C:\Users\Admin\AppData\Local\Temp\393c6465eb89e45946368c282c09b4f5b9ec05da804769f301e850c312f43be2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 668
      2⤵
      • Program crash
      PID:4788
    • C:\ProgramData\eP01805LcAbJ01805\eP01805LcAbJ01805.exe
      "C:\ProgramData\eP01805LcAbJ01805\eP01805LcAbJ01805.exe" "C:\Users\Admin\AppData\Local\Temp\393c6465eb89e45946368c282c09b4f5b9ec05da804769f301e850c312f43be2.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4672
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 668
        3⤵
        • Program crash
        PID:1304
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2520 -ip 2520
    1⤵
      PID:2196
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4672 -ip 4672
      1⤵
        PID:1348

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\eP01805LcAbJ01805\eP01805LcAbJ01805.exe
              Filesize

              448KB

              MD5

              2598cb8d99974e86455405f5d62a77de

              SHA1

              cf33cb2468eaa067bf8f7d67f0abbc51a80c0a43

              SHA256

              521af44ca9f08e57378e5be1df5a4006b82648fb36c22e7e13f1a853233006c6

              SHA512

              8e165951cbd4f32ed2063d61073c9c6aac53fc7e0a577fdcc6a3546fd577c1086bd6d93efd358577cc5b561d92d68be65a161915e895ee5850131e7bc90b9dcf

              Download Submit

            • C:\ProgramData\eP01805LcAbJ01805\eP01805LcAbJ01805.exe
              Filesize

              448KB

              MD5

              2598cb8d99974e86455405f5d62a77de

              SHA1

              cf33cb2468eaa067bf8f7d67f0abbc51a80c0a43

              SHA256

              521af44ca9f08e57378e5be1df5a4006b82648fb36c22e7e13f1a853233006c6

              SHA512

              8e165951cbd4f32ed2063d61073c9c6aac53fc7e0a577fdcc6a3546fd577c1086bd6d93efd358577cc5b561d92d68be65a161915e895ee5850131e7bc90b9dcf

              Download Submit

            • memory/2520-132-0x0000000000400000-0x00000000004F2000-memory.dmp

              Filesize

              968KB

              Download

            • memory/2520-136-0x0000000000400000-0x00000000004F2000-memory.dmp

              Filesize

              968KB

              Download

            • memory/4672-137-0x0000000000400000-0x00000000004F2000-memory.dmp

              Filesize

              968KB

              Download