e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153

Analysis

max time kernel
218s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe
Size

579KB
MD5

ff50579651e80b4608c6dc52bcdb3eef
SHA1

acadd1eb7d9084489bd0a10e4abec5272cbf41f0
SHA256

e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153
SHA512

33c0ffc15c6c0182a0ef793fa4d0f23a094a849cb228630a256aae1894e183ac53e977ff7087fa9893a774ffd19d895af26ea5d0f207a76553929d5c536755c1
SSDEEP

12288:w4w5+my44Zb0t3lN5EJWDFWcu955KE49lEBgugy9PuIJK3is0+:w4wT1ib0tntUl55b49lby1jJaBB

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1116-72-0x00000000001B0000-0x00000000001BD000-memory.dmp	upx
behavioral1/memory/1116-77-0x00000000001C0000-0x00000000001CD000-memory.dmp	upx
behavioral1/memory/1116-81-0x0000000010490000-0x000000001049D000-memory.dmp	upx
behavioral1/memory/1116-87-0x00000000104A0000-0x00000000104AD000-memory.dmp	upx
behavioral1/memory/1116-93-0x00000000104B0000-0x00000000104BD000-memory.dmp	upx
behavioral1/memory/1116-99-0x00000000104C0000-0x00000000104CD000-memory.dmp	upx
behavioral1/memory/1116-105-0x00000000104D0000-0x00000000104DD000-memory.dmp	upx
behavioral1/memory/1116-111-0x00000000104E0000-0x00000000104ED000-memory.dmp	upx
behavioral1/memory/1116-117-0x00000000104F0000-0x00000000104FD000-memory.dmp	upx
behavioral1/memory/1116-123-0x0000000010500000-0x000000001050D000-memory.dmp	upx
behavioral1/memory/1116-129-0x0000000010510000-0x000000001051D000-memory.dmp	upx
behavioral1/memory/1116-135-0x0000000010520000-0x000000001052D000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2332	1320	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe
1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe
1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe
Token: SeDebugPrivilege	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe
Token: SeDebugPrivilege	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe
Token: SeDebugPrivilege	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1644 wrote to memory of 1116	1644	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	28
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29
PID 1116 wrote to memory of 1432	1116	e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe	29

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:476
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:460
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1412
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2024
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1120
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1044
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:308
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:108
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:872
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:848
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:752
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1868

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe
  "C:\Users\Admin\AppData\Local\Temp\e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe
      C:\Users\Admin\AppData\Local\Temp\e75c8210e2df5ad9e1494a074f6e4d7bb871cf362f25ef20e752a431c5336153.exe
      4⤵
      PID:1320
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 148
        5⤵
        Program crash
        
        PID:2332

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-84-0x0000000010490000-0x000000001049D000-memory.dmp

Filesize
52KB

Download
memory/1116-129-0x0000000010510000-0x000000001051D000-memory.dmp

Filesize
52KB

Download
memory/1116-226-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1116-87-0x00000000104A0000-0x00000000104AD000-memory.dmp

Filesize
52KB

Download
memory/1116-60-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1116-223-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1116-61-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1116-93-0x00000000104B0000-0x00000000104BD000-memory.dmp

Filesize
52KB

Download
memory/1116-65-0x0000000010410000-0x0000000010488000-memory.dmp

Filesize
480KB

Download
memory/1116-72-0x00000000001B0000-0x00000000001BD000-memory.dmp

Filesize
52KB

Download
memory/1116-75-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1116-77-0x00000000001C0000-0x00000000001CD000-memory.dmp

Filesize
52KB

Download
memory/1116-81-0x0000000010490000-0x000000001049D000-memory.dmp

Filesize
52KB

Download
memory/1116-58-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1116-135-0x0000000010520000-0x000000001052D000-memory.dmp

Filesize
52KB

Download
memory/1116-99-0x00000000104C0000-0x00000000104CD000-memory.dmp

Filesize
52KB

Download
memory/1116-105-0x00000000104D0000-0x00000000104DD000-memory.dmp

Filesize
52KB

Download
memory/1116-111-0x00000000104E0000-0x00000000104ED000-memory.dmp

Filesize
52KB

Download
memory/1116-117-0x00000000104F0000-0x00000000104FD000-memory.dmp

Filesize
52KB

Download
memory/1116-123-0x0000000010500000-0x000000001050D000-memory.dmp

Filesize
52KB

Download
memory/1320-224-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1644-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1644-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1644-62-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/1644-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download