Overview

overview

8

Static

static

8

fe4b50fecb...ee.exe

windows7-x64

8

fe4b50fecb...ee.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    47s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe4b50fecb15897d058be7ae401d5d50a093eb4edadfbc896e81ac0ee42000ee.exe

  • Size

    17KB

  • MD5

    31eb00e4884b371aaa5302699e0e6f75

  • SHA1

    45ba700180d087e003a61bd17e8a9034a39d879d

  • SHA256

    fe4b50fecb15897d058be7ae401d5d50a093eb4edadfbc896e81ac0ee42000ee

  • SHA512

    862a4e7faa9c958375ec1276e7c04daf051a531a680c82b44e110fba20833b81e740be6cd052285637d5043fc2939dadcba51184e672edda3e2ca57ea138835c

  • SSDEEP

    384:YHpwViqRd2ca4VoJOxXnV8sLUlGCmrRQXSvYEQECaNJawcudoD7UB:YHoq/kmsgMCG+XSHTjnbcuyD7U

Score
8/10
evasionupx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Sets file to hidden 1 TTPs 4 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of WriteProcessMemory 40 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe4b50fecb15897d058be7ae401d5d50a093eb4edadfbc896e81ac0ee42000ee.exe
    "C:\Users\Admin\AppData\Local\Temp\fe4b50fecb15897d058be7ae401d5d50a093eb4edadfbc896e81ac0ee42000ee.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\F529.tmp\bnm2.bat""
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\SysWOW64\attrib.exe
        attrib -a -s -h -r C:\Windows\system32\drivers\etc\hosts
        3⤵
        • Views/modifies file attributes
        PID:1760
      • C:\Windows\SysWOW64\attrib.exe
        attrib -a -s -h -r C:\Windows\system32\drivers\hosts
        3⤵
        • Views/modifies file attributes
        PID:280
      • C:\Windows\SysWOW64\attrib.exe
        attrib -a -s -h -r C:\Windows\system32\hosts
        3⤵
        • Views/modifies file attributes
        PID:904
      • C:\Windows\SysWOW64\attrib.exe
        attrib -a -s -h -r C:\Windows\hosts
        3⤵
        • Views/modifies file attributes
        PID:1636
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r C:\Windows\system32\drivers\etc\hosts
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:544
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r C:\Windows\hosts
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1804
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • Gathers network information
        PID:560
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r C:\Windows\system32\hosts
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:432
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r C:\Windows\system32\drivers\hosts
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:520

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\F529.tmp\bnm2.bat
    Filesize

    5KB

    MD5

    9e80a79d25b637efe0296afc170b076d

    SHA1

    ebbc541478ab9ee46101a6b410a1bb5a2f7d7bba

    SHA256

    7d647475d092c3babc6b75def1af0bfd36386658fcdb0b1aa7136030add3fa8d

    SHA512

    8a16eac5952406a333e54af152756c07a7fb1e22c77c69069fa96671ae90ac0a933564d10de754f98a3e3e33bed105f942de161968cad40bff5cc94f6508bc88

    Download Submit

  • \Users\Admin\AppData\Local\Temp\F529.tmp\b2e.dll
    Filesize

    31KB

    MD5

    7b860f28be19d4aef761fb991134a556

    SHA1

    0658a7456d0234dcca598b6ee599fe134d0ecd61

    SHA256

    57a2586d73188a694944c7da60c78380f82fac46452ed1a31c818ceb93e660bc

    SHA512

    a0685a25cbc3fff74aa4ad538ade5282242980f07fe1171e01644e0fa98e1ec6adc87b943290983f6fb5070d26fc15d697ae31a1f570e83e504ae1e4508aefa5

    Download Submit

  • memory/280-59-0x0000000000000000-mapping.dmp

    Download

  • memory/432-64-0x0000000000000000-mapping.dmp

    Download

  • memory/520-63-0x0000000000000000-mapping.dmp

    Download

  • memory/544-62-0x0000000000000000-mapping.dmp

    Download

  • memory/560-66-0x0000000000000000-mapping.dmp

    Download

  • memory/904-60-0x0000000000000000-mapping.dmp

    Download

  • memory/960-68-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/960-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1344-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1636-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1760-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1804-65-0x0000000000000000-mapping.dmp

    Download