Overview

overview

10

Static

static

9474af7219...6c.exe

windows7-x64

8

9474af7219...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    204s
  • max time network
    245s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2022 17:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9474af72194adbf99dfe865caf940d249797bd49a770fd3aa6ca86ed6a44866c.exe

  • Size

    422KB

  • MD5

    6134ce5d2a2af878afbbf9874343d8eb

  • SHA1

    6a8bde4b754f45a76f55fec8f52d6aab6b09fc94

  • SHA256

    9474af72194adbf99dfe865caf940d249797bd49a770fd3aa6ca86ed6a44866c

  • SHA512

    e2101bb2ba458a893999870b82b0b3fedd434590dff61d8bdf6553f220f1425d4cba06986941d986ae46d22ecbd88a7d014b4a56346b099c055f2cc1eaac6dc0

  • SSDEEP

    12288:p9feipGHJX1/clmkF0lJkvMAMkERLW4r9:LeipKJXW12k5MkElv9

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9474af72194adbf99dfe865caf940d249797bd49a770fd3aa6ca86ed6a44866c.exe
    "C:\Users\Admin\AppData\Local\Temp\9474af72194adbf99dfe865caf940d249797bd49a770fd3aa6ca86ed6a44866c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:344
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 908
      2⤵
      • Program crash
      PID:4668
    • C:\ProgramData\eP02401PoCiE02401\eP02401PoCiE02401.exe
      "C:\ProgramData\eP02401PoCiE02401\eP02401PoCiE02401.exe" "C:\Users\Admin\AppData\Local\Temp\9474af72194adbf99dfe865caf940d249797bd49a770fd3aa6ca86ed6a44866c.exe"
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:1844
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 904
        3⤵
        • Program crash
        PID:2236
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 344 -ip 344
    1⤵
      PID:532
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1844 -ip 1844
      1⤵
        PID:2744
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
          PID:3104
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:3172
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:3260
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:4112
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:3612
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:4544
        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
          1⤵
            PID:1112

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Winlogon Helper DLL

          1
          T1004

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          3
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\eP02401PoCiE02401\eP02401PoCiE02401.exe
            Filesize

            422KB

            MD5

            32dff7ffc6d05b23e3f7b666d58f5cf7

            SHA1

            5649c1b1e63fbd80be8ecf0d191df96d67f6bfc9

            SHA256

            8b66529e7f6b99d019de4bb23f2a35f7e2a45538e0897ea42bdc48dce2ee45de

            SHA512

            1b222bf7001165e19b8c5722c26f8fd07db3bc58eb4ad4c302c3de80c152c5700020c8720fb55bb6d82473345359709b35f0558ef343a3f65bcefea7a528424d

            Download Submit
          • C:\ProgramData\eP02401PoCiE02401\eP02401PoCiE02401.exe
            Filesize

            422KB

            MD5

            32dff7ffc6d05b23e3f7b666d58f5cf7

            SHA1

            5649c1b1e63fbd80be8ecf0d191df96d67f6bfc9

            SHA256

            8b66529e7f6b99d019de4bb23f2a35f7e2a45538e0897ea42bdc48dce2ee45de

            SHA512

            1b222bf7001165e19b8c5722c26f8fd07db3bc58eb4ad4c302c3de80c152c5700020c8720fb55bb6d82473345359709b35f0558ef343a3f65bcefea7a528424d

            Download Submit
          • memory/344-132-0x00000000007B0000-0x00000000007B3000-memory.dmp
            Filesize

            12KB

            Download
          • memory/344-133-0x0000000000400000-0x00000000004D2000-memory.dmp
            Filesize

            840KB

            Download
          • memory/344-134-0x0000000000400000-0x00000000004D2000-memory.dmp
            Filesize

            840KB

            Download
          • memory/344-138-0x0000000000400000-0x00000000004D2000-memory.dmp
            Filesize

            840KB

            Download
          • memory/1844-135-0x0000000000000000-mapping.dmp
            Download
          • memory/1844-139-0x0000000000400000-0x00000000004D2000-memory.dmp
            Filesize

            840KB

            Download