Overview

overview

7

Static

static

7c650280d0...0f.exe

windows7-x64

7

7c650280d0...0f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 23:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c650280d0aa9828feb81f87c811fd5f8e53a84c611aab59902b762ed7d09d0f.exe

  • Size

    384KB

  • MD5

    9d37c2d88562bf9520bbc8186c28dddd

  • SHA1

    3cb57cbab6a3ca96cda1188d09a8f084c8ab3b78

  • SHA256

    7c650280d0aa9828feb81f87c811fd5f8e53a84c611aab59902b762ed7d09d0f

  • SHA512

    bee4f83b1b1e284065f1a7dd08309007cfeef05e3319d6cc0d22259d51be919bbf82a99b83171cbf9af62ce94c53236f20510d9baef551969718e62213fec98e

  • SSDEEP

    6144:W6YkTLi7oZ83Rl/M01nQgDB3rd3GVhwRlMJjORq5vuaYm/DFDs:kkHi7oC3R+01n3DGaTsjG6DBs

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1940
  • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    1⤵
      PID:2028
    • C:\Windows\system32\sppsvc.exe
      C:\Windows\system32\sppsvc.exe
      1⤵
        PID:1216
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Adds Run key to start application
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1432
        • C:\Users\Admin\AppData\Local\Temp\7c650280d0aa9828feb81f87c811fd5f8e53a84c611aab59902b762ed7d09d0f.exe
          "C:\Users\Admin\AppData\Local\Temp\7c650280d0aa9828feb81f87c811fd5f8e53a84c611aab59902b762ed7d09d0f.exe"
          2⤵
          • Loads dropped DLL
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:240
      • C:\Windows\System32\spoolsv.exe
        C:\Windows\System32\spoolsv.exe
        1⤵
          PID:456

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        4
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\EukeqUdtol\EukeqUdtol.dat
          Filesize

          288KB

          MD5

          9f7172eb65fc3f7e5b32578a3b3693c4

          SHA1

          d40340b67adbfbf0c1038aefac6ae72400fff365

          SHA256

          0a59adf6d1f6c1ac7d0a164812dee28aad434055d9acb3a9953341263de572da

          SHA512

          cf1f3b7091ad0856e711ac84afec3b4aaee2823f3cbde679ad8d19bb5591c0bcaec9d72c38de7cf4c81a3e65d9ea0aa0cb5aee8a4e4e03ad5e1774bf68c63d8f

          Download Submit
        • \ProgramData\EukeqUdtol\EukeqUdtol.dat
          Filesize

          288KB

          MD5

          9f7172eb65fc3f7e5b32578a3b3693c4

          SHA1

          d40340b67adbfbf0c1038aefac6ae72400fff365

          SHA256

          0a59adf6d1f6c1ac7d0a164812dee28aad434055d9acb3a9953341263de572da

          SHA512

          cf1f3b7091ad0856e711ac84afec3b4aaee2823f3cbde679ad8d19bb5591c0bcaec9d72c38de7cf4c81a3e65d9ea0aa0cb5aee8a4e4e03ad5e1774bf68c63d8f

          Download Submit
        • memory/240-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/240-55-0x0000000000400000-0x0000000000445000-memory.dmp
          Filesize

          276KB

          Download
        • memory/240-58-0x0000000000400000-0x0000000000460000-memory.dmp
          Filesize

          384KB

          Download
        • memory/240-59-0x0000000074810000-0x0000000074843000-memory.dmp
          Filesize

          204KB

          Download
        • memory/240-74-0x0000000074810000-0x000000007487E000-memory.dmp
          Filesize

          440KB

          Download
        • memory/240-77-0x0000000000400000-0x0000000000445000-memory.dmp
          Filesize

          276KB

          Download
        • memory/240-78-0x0000000074810000-0x0000000074843000-memory.dmp
          Filesize

          204KB

          Download
        • memory/456-61-0x0000000001BF0000-0x0000000001C44000-memory.dmp
          Filesize

          336KB

          Download
        • memory/1432-75-0x0000000002AB0000-0x0000000002B04000-memory.dmp
          Filesize

          336KB

          Download
        • memory/1432-76-0x0000000003F20000-0x0000000003F8B000-memory.dmp
          Filesize

          428KB

          Download