Overview

overview

8

Static

static

eddf40f72b...e6.exe

windows7-x64

8

eddf40f72b...e6.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    105s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2022 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eddf40f72b8448daf606a4610455c7ca23849c2cb52c99ccec1af6b42d9b5ae6.exe

  • Size

    119KB

  • MD5

    437ecba23d5c8e3f29f339d465d6ec39

  • SHA1

    45ff1c3170928b00f6c5be8a75b74bfa5d8e765e

  • SHA256

    eddf40f72b8448daf606a4610455c7ca23849c2cb52c99ccec1af6b42d9b5ae6

  • SHA512

    e4cb6d0e9431d3015d9bb1a2afa9d46f1b7a9caa98f78ebec1338e18175de51b7bb82dfa248021fa2b8dc94e3be4ca1753177180aaa9e9e10c971bdf64bffaff

  • SSDEEP

    1536:oxeVpCft4veetkv3CLarDgiF9rd/dTXRHiYRkW1Q0B9LslJY/6eLn:HVpCmIv3BrDXFTFHOSQ0B9YlJVeT

Score
8/10
persistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 30 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:672
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:608
        • C:\Windows\system32\fontdrvhost.exe
          "fontdrvhost.exe"
          2⤵
            PID:780
          • C:\Windows\system32\dwm.exe
            "dwm.exe"
            2⤵
              PID:64
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:508
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
              1⤵
                PID:1040
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                1⤵
                  PID:1108
                  • C:\Windows\system32\taskhostw.exe
                    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                    2⤵
                      PID:2868
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                    1⤵
                      PID:1200
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                      1⤵
                        PID:1700
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                        1⤵
                          PID:2500
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          1⤵
                            PID:3432
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                            1⤵
                              PID:4516
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                              1⤵
                                PID:3700
                              • C:\Windows\system32\SppExtComObj.exe
                                C:\Windows\system32\SppExtComObj.exe -Embedding
                                1⤵
                                  PID:3936
                                • C:\Windows\system32\wbem\wmiprvse.exe
                                  C:\Windows\system32\wbem\wmiprvse.exe
                                  1⤵
                                    PID:5044
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                    1⤵
                                      PID:5088
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                      1⤵
                                        PID:3076
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                        1⤵
                                          PID:2336
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                          1⤵
                                            PID:2084
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k netsvcs -p
                                            1⤵
                                              PID:3100
                                            • C:\Windows\System32\RuntimeBroker.exe
                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                              1⤵
                                                PID:4644
                                              • C:\Windows\system32\DllHost.exe
                                                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                1⤵
                                                  PID:4440
                                                • C:\Windows\System32\RuntimeBroker.exe
                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                  1⤵
                                                    PID:3684
                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                    1⤵
                                                      PID:3524
                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                      1⤵
                                                        PID:3368
                                                      • C:\Windows\system32\DllHost.exe
                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                        1⤵
                                                          PID:3268
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                          1⤵
                                                            PID:1708
                                                          • C:\Windows\Explorer.EXE
                                                            C:\Windows\Explorer.EXE
                                                            1⤵
                                                              PID:684
                                                              • C:\Users\Admin\AppData\Local\Temp\eddf40f72b8448daf606a4610455c7ca23849c2cb52c99ccec1af6b42d9b5ae6.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\eddf40f72b8448daf606a4610455c7ca23849c2cb52c99ccec1af6b42d9b5ae6.exe"
                                                                2⤵
                                                                • Suspicious use of SetThreadContext
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:4384
                                                                • C:\Users\Admin\AppData\Local\Temp\eddf40f72b8448daf606a4610455c7ca23849c2cb52c99ccec1af6b42d9b5ae6.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\eddf40f72b8448daf606a4610455c7ca23849c2cb52c99ccec1af6b42d9b5ae6.exe
                                                                  3⤵
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:3720
                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                    explorer.exe
                                                                    4⤵
                                                                    • Adds policy Run key to start application
                                                                    • Modifies Installed Components in the registry
                                                                    • Adds Run key to start application
                                                                    • Drops file in System32 directory
                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4844
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                              1⤵
                                                                PID:2820
                                                              • C:\Windows\system32\sihost.exe
                                                                sihost.exe
                                                                1⤵
                                                                  PID:2768
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                  1⤵
                                                                    PID:2512
                                                                  • C:\Windows\System32\svchost.exe
                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                    1⤵
                                                                      PID:2480
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                      1⤵
                                                                        PID:2488
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                        1⤵
                                                                          PID:2416
                                                                        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                          1⤵
                                                                            PID:2400
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                            1⤵
                                                                              PID:2304
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                              1⤵
                                                                                PID:2296
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                                1⤵
                                                                                  PID:2112
                                                                                • C:\Windows\System32\svchost.exe
                                                                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                  1⤵
                                                                                    PID:1316
                                                                                  • C:\Windows\System32\spoolsv.exe
                                                                                    C:\Windows\System32\spoolsv.exe
                                                                                    1⤵
                                                                                      PID:1292
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                      1⤵
                                                                                        PID:1988
                                                                                      • C:\Windows\System32\svchost.exe
                                                                                        C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                        1⤵
                                                                                          PID:1948
                                                                                        • C:\Windows\System32\svchost.exe
                                                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                          1⤵
                                                                                            PID:1884
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                            1⤵
                                                                                              PID:1876
                                                                                            • C:\Windows\System32\svchost.exe
                                                                                              C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                              1⤵
                                                                                                PID:1820
                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                1⤵
                                                                                                  PID:1768
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                                  1⤵
                                                                                                    PID:1668
                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                    1⤵
                                                                                                      PID:1652
                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                                      1⤵
                                                                                                        PID:1640
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                        1⤵
                                                                                                          PID:1568
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                          1⤵
                                                                                                            PID:1544
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                            1⤵
                                                                                                              PID:1448
                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                              C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                              1⤵
                                                                                                                PID:1408
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                                1⤵
                                                                                                                  PID:1400
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                                  1⤵
                                                                                                                    PID:1348
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                                    1⤵
                                                                                                                      PID:1260
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                                      1⤵
                                                                                                                        PID:1248
                                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                        1⤵
                                                                                                                          PID:1048
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                                                                                          1⤵
                                                                                                                            PID:920
                                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                                            1⤵
                                                                                                                              PID:656
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                                              1⤵
                                                                                                                                PID:948
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k RPCSS -p
                                                                                                                                1⤵
                                                                                                                                  PID:904
                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                  C:\Windows\system32\svchost.exe -k DcomLaunch -p
                                                                                                                                  1⤵
                                                                                                                                    PID:796
                                                                                                                                  • C:\Windows\system32\fontdrvhost.exe
                                                                                                                                    "fontdrvhost.exe"
                                                                                                                                    1⤵
                                                                                                                                      PID:788

                                                                                                                                    Network

                                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                                    Replay Monitor

                                                                                                                                    Loading Replay Monitor...

                                                                                                                                    Downloads

                                                                                                                                    • memory/3720-206-0x00000000104F0000-0x00000000104FD000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-198-0x00000000104D0000-0x00000000104DD000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-135-0x0000000000400000-0x0000000000425000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      148KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-136-0x0000000000400000-0x0000000000425000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      148KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-138-0x0000000010410000-0x0000000010446000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      216KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-141-0x0000000000400000-0x0000000000425000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      148KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-174-0x00000000022A0000-0x00000000022AD000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-144-0x0000000010450000-0x0000000010486000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      216KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-166-0x0000000000500000-0x000000000050D000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-149-0x00000000004C0000-0x00000000004CD000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-153-0x00000000004D0000-0x00000000004DD000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-170-0x00000000009E0000-0x00000000009ED000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-158-0x00000000004E0000-0x00000000004ED000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-162-0x00000000004F0000-0x00000000004FD000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-285-0x0000000000400000-0x0000000000425000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      148KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-287-0x0000000000400000-0x0000000000425000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      148KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-218-0x0000000010520000-0x000000001052D000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-178-0x0000000010490000-0x000000001049D000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-182-0x00000000022B0000-0x00000000022BD000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-186-0x00000000104A0000-0x00000000104AD000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-190-0x00000000104B0000-0x00000000104BD000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-194-0x00000000104C0000-0x00000000104CD000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-133-0x0000000000400000-0x0000000000425000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      148KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-202-0x00000000104E0000-0x00000000104ED000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-132-0x0000000000000000-mapping.dmp

                                                                                                                                      Download

                                                                                                                                    • memory/3720-210-0x0000000010500000-0x000000001050D000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/3720-214-0x0000000010510000-0x000000001051D000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/4844-143-0x0000000000000000-mapping.dmp

                                                                                                                                      Download

                                                                                                                                    • memory/4844-288-0x0000000010450000-0x0000000010486000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      216KB

                                                                                                                                      Download

                                                                                                                                    • memory/4844-156-0x0000000010450000-0x0000000010486000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      216KB

                                                                                                                                      Download

                                                                                                                                    • memory/4844-289-0x00000000108A0000-0x00000000108AD000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      52KB

                                                                                                                                      Download

                                                                                                                                    • memory/4844-147-0x0000000010450000-0x0000000010486000-memory.dmp

                                                                                                                                      Filesize

                                                                                                                                      216KB

                                                                                                                                      Download