Overview

overview

8

Static

static

e1cfc115c0...6a.exe

windows7-x64

8

e1cfc115c0...6a.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1cfc115c0dc61198fae3f45e3b5ce92edaca691045a6b3860d2f008c0aad06a.exe

  • Size

    161KB

  • MD5

    fe116b0d03082a3ac8ca9cfeb9ce4500

  • SHA1

    89aff2309c312ddcceae62129e51f296bbd27907

  • SHA256

    e1cfc115c0dc61198fae3f45e3b5ce92edaca691045a6b3860d2f008c0aad06a

  • SHA512

    69a398d42676ab8cf0195f4c0f23792705f9a3423a9743e2ec37531a7a865a684a972ed34530b69d25d8583ee3f1f869a2ea10339509d616dcd0d33ce7460455

  • SSDEEP

    3072:O1UqeDPEsbBYTN6jZ4fReG6NkHqQTtwRc6GCCT/oQXbTlOf/mdQgUfu:OuqeDPEKBYGkV6NkHq4wpGsYbTi/8QgT

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1cfc115c0dc61198fae3f45e3b5ce92edaca691045a6b3860d2f008c0aad06a.exe
    "C:\Users\Admin\AppData\Local\Temp\e1cfc115c0dc61198fae3f45e3b5ce92edaca691045a6b3860d2f008c0aad06a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Roaming\Xaobal\umorl.exe
      "C:\Users\Admin\AppData\Roaming\Xaobal\umorl.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      PID:1400
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp726873f6.bat"
      2⤵
      • Deletes itself
      PID:1540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp726873f6.bat
    Filesize

    307B

    MD5

    5596330b87294c62ea656ce29ffcf5d6

    SHA1

    40afe0b8228b388fd5f346e7230b7df440d75694

    SHA256

    46d7321e8eee2f11f45602d40ea074e9103cb2ac2d189340089091aba779b67d

    SHA512

    0fed913da4e9ba8e6c72ac641ba20117291bb06be2ddb41e10502bff5ef7b999314588e86694d18e7bdeb5db49cefa8901152f78fbc2531ae86b0cbebfb9e324

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Xaobal\umorl.exe
    Filesize

    161KB

    MD5

    3d0b200c0e52966ce6d9ca268a064ec7

    SHA1

    d38be68dea6c1f0120d19f111f61f2d7fbabb9d0

    SHA256

    c73b73074889a64ed44864408979af3f9f84bdb2efc1bc6a73bc53073221fb29

    SHA512

    b38bf96da4d89f90e3df662f310ae432582deb659a4a266224e4d345afb78277ab9de4d964699b7185349d2c219ac296b253eb0e06765d846572017d72e86edd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Xaobal\umorl.exe
    Filesize

    161KB

    MD5

    3d0b200c0e52966ce6d9ca268a064ec7

    SHA1

    d38be68dea6c1f0120d19f111f61f2d7fbabb9d0

    SHA256

    c73b73074889a64ed44864408979af3f9f84bdb2efc1bc6a73bc53073221fb29

    SHA512

    b38bf96da4d89f90e3df662f310ae432582deb659a4a266224e4d345afb78277ab9de4d964699b7185349d2c219ac296b253eb0e06765d846572017d72e86edd

    Download Submit

  • \Users\Admin\AppData\Roaming\Xaobal\umorl.exe
    Filesize

    161KB

    MD5

    3d0b200c0e52966ce6d9ca268a064ec7

    SHA1

    d38be68dea6c1f0120d19f111f61f2d7fbabb9d0

    SHA256

    c73b73074889a64ed44864408979af3f9f84bdb2efc1bc6a73bc53073221fb29

    SHA512

    b38bf96da4d89f90e3df662f310ae432582deb659a4a266224e4d345afb78277ab9de4d964699b7185349d2c219ac296b253eb0e06765d846572017d72e86edd

    Download Submit

  • \Users\Admin\AppData\Roaming\Xaobal\umorl.exe
    Filesize

    161KB

    MD5

    3d0b200c0e52966ce6d9ca268a064ec7

    SHA1

    d38be68dea6c1f0120d19f111f61f2d7fbabb9d0

    SHA256

    c73b73074889a64ed44864408979af3f9f84bdb2efc1bc6a73bc53073221fb29

    SHA512

    b38bf96da4d89f90e3df662f310ae432582deb659a4a266224e4d345afb78277ab9de4d964699b7185349d2c219ac296b253eb0e06765d846572017d72e86edd

    Download Submit

  • memory/1400-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1404-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1540-61-0x0000000000000000-mapping.dmp

    Download