Overview

overview

10

Static

static

8

ee9f822481...6e.exe

windows7-x64

10

ee9f822481...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 23:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee9f822481646c3e26f1187553721d2b956642a69790ec20f9feef2a4044476e.exe

  • Size

    551KB

  • MD5

    fd4f91a73f52cd100012d32b18b81daa

  • SHA1

    25545878e7ab8a1cd8ae736446aa0fa7f72981a6

  • SHA256

    ee9f822481646c3e26f1187553721d2b956642a69790ec20f9feef2a4044476e

  • SHA512

    242de09805086f1446272fe907597b166f43212eb1eb3c430f4e1b4ce7c328888be04f2898f0ef7956f9206ba4dd965ea6054e2b49bce7fd4eb7a1d50274e99b

  • SSDEEP

    6144:1v7N+NSSx+T/wzitHlBSZmn6aw/jrgXkaZaitUivNO50dG3lBBg/uMTwzrCVditC:1vQwSxTi2AwQX4H50aloB5VSM3

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Sets file execution options in registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 4 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee9f822481646c3e26f1187553721d2b956642a69790ec20f9feef2a4044476e.exe
    "C:\Users\Admin\AppData\Local\Temp\ee9f822481646c3e26f1187553721d2b956642a69790ec20f9feef2a4044476e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Disables RegEdit via registry modification
    • Sets file execution options in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1568
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Explorer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2936
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im TaskMgr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Cmd.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Regedit.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1328-135-0x0000000000000000-mapping.dmp

    Download

  • memory/1568-132-0x0000000000400000-0x0000000000575000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1568-137-0x0000000000400000-0x0000000000575000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2584-136-0x0000000000000000-mapping.dmp

    Download

  • memory/2888-134-0x0000000000000000-mapping.dmp

    Download

  • memory/2936-133-0x0000000000000000-mapping.dmp

    Download