Overview

overview

10

Static

static

e6fbccdb81...f1.exe

windows7-x64

10

e6fbccdb81...f1.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 16:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e6fbccdb81b4f21153179b2de90e55d57151bbb11517ae8c1b9ba38a257b51f1.exe

  • Size

    102KB

  • MD5

    9d348dc7131d3ac0d745e7b51909ff42

  • SHA1

    06e367142435f0e084641bfaf5479e884f6ec904

  • SHA256

    e6fbccdb81b4f21153179b2de90e55d57151bbb11517ae8c1b9ba38a257b51f1

  • SHA512

    be6254e921fad7c22fc3edc7a5452c1f1441f5250a3ffd9d5df93c2fb16a6bfe6a9a6b24d29ec8529c72bb4bc29d65dff6c42e9b3b23613096b0966bec41afd6

  • SSDEEP

    1536:4NaFYEa2VNW2zdec4ctsQQzwcKp8OEDYKTCwHGAeZYxUrvKKbQGcYsxO4Q1pEunE:ayYEaINW2zdtFU9CPAehjxjsvo9pi

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in Windows directory 24 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6fbccdb81b4f21153179b2de90e55d57151bbb11517ae8c1b9ba38a257b51f1.exe
    "C:\Users\Admin\AppData\Local\Temp\e6fbccdb81b4f21153179b2de90e55d57151bbb11517ae8c1b9ba38a257b51f1.exe"
    1⤵
    • Modifies firewall policy service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Users\Admin\AppData\Roaming\csrss.exe
      C:\Users\Admin\AppData\Roaming\csrss.exe
      2⤵
      • Modifies firewall policy service
      • Executes dropped EXE
      • Deletes itself
      • Adds Run key to start application
      • Drops file in Windows directory
      • NTFS ADS
      PID:1360

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\System32\rundll32.exe
          Filesize

          102KB

          MD5

          9d348dc7131d3ac0d745e7b51909ff42

          SHA1

          06e367142435f0e084641bfaf5479e884f6ec904

          SHA256

          e6fbccdb81b4f21153179b2de90e55d57151bbb11517ae8c1b9ba38a257b51f1

          SHA512

          be6254e921fad7c22fc3edc7a5452c1f1441f5250a3ffd9d5df93c2fb16a6bfe6a9a6b24d29ec8529c72bb4bc29d65dff6c42e9b3b23613096b0966bec41afd6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\System32\svchost.exe
          Filesize

          102KB

          MD5

          9d348dc7131d3ac0d745e7b51909ff42

          SHA1

          06e367142435f0e084641bfaf5479e884f6ec904

          SHA256

          e6fbccdb81b4f21153179b2de90e55d57151bbb11517ae8c1b9ba38a257b51f1

          SHA512

          be6254e921fad7c22fc3edc7a5452c1f1441f5250a3ffd9d5df93c2fb16a6bfe6a9a6b24d29ec8529c72bb4bc29d65dff6c42e9b3b23613096b0966bec41afd6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\csrss.exe
          Filesize

          102KB

          MD5

          9d348dc7131d3ac0d745e7b51909ff42

          SHA1

          06e367142435f0e084641bfaf5479e884f6ec904

          SHA256

          e6fbccdb81b4f21153179b2de90e55d57151bbb11517ae8c1b9ba38a257b51f1

          SHA512

          be6254e921fad7c22fc3edc7a5452c1f1441f5250a3ffd9d5df93c2fb16a6bfe6a9a6b24d29ec8529c72bb4bc29d65dff6c42e9b3b23613096b0966bec41afd6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\csrss.exe
          Filesize

          102KB

          MD5

          9d348dc7131d3ac0d745e7b51909ff42

          SHA1

          06e367142435f0e084641bfaf5479e884f6ec904

          SHA256

          e6fbccdb81b4f21153179b2de90e55d57151bbb11517ae8c1b9ba38a257b51f1

          SHA512

          be6254e921fad7c22fc3edc7a5452c1f1441f5250a3ffd9d5df93c2fb16a6bfe6a9a6b24d29ec8529c72bb4bc29d65dff6c42e9b3b23613096b0966bec41afd6

          Download Submit

        • C:\Windows\0P;{#G1^necp 2
          Filesize

          1KB

          MD5

          7c9a178ad6033e3d1cf56445e2ad98e3

          SHA1

          56f186cabcff730d6056077d994bbf5e339bd7af

          SHA256

          d27623517ce283389c30d5f5721b0cf98a1ebc3712763beae4b999b31562a7ef

          SHA512

          733332ad0e5ec0706307bfcc4c8284b5a0c1f771b89a456aab15eb25365ef0bcd74bd4f611028d1b8079cd906b7af6fb73ee156ad42c495cc5d358d0c30a1803

          Download Submit

        • C:\Windows\[5!1I^4vBqG}mK,7;gHd
          Filesize

          2KB

          MD5

          badd2778a0c20a6158aad52c2848d4f7

          SHA1

          e558b10177202f17856a859fdb225c4fb12cf986

          SHA256

          c36694fa35c933297f0f1b7dfabfefaae850859cf17f09bfaebb698d25b836a5

          SHA512

          088d14402b4c7d9325667d927055ea3807fc02177e7cc4e87edee5db73127569b9fdd63200679985a05e2c381df78c9ef2ef7780350b3e46ead4274ee14a609a

          Download Submit

        • C:\Windows\kiM5suI1b,
          Filesize

          1KB

          MD5

          4ad0b6ef25103217e3c04bb518bac813

          SHA1

          bd133ab5a72320af5f559ec87171c3b153827d6d

          SHA256

          8a5bf7e6c91a910d0389d373cc71e0575f2581d90ab2645fb9a89ec60d7f3d3a

          SHA512

          5f12b4c253ce770e4b824384dd7ecb739934ce0d5f89b9d76b14f43700739cea6d60414da091f34b998644b202163d5daaa2c3924d3fba9e99a2acb5529254fe

          Download Submit

        • C:\Windows\v+'PE1 )%Hr-4
          Filesize

          633B

          MD5

          8e443d69077aed07f601508cb74f1c90

          SHA1

          02a8d4a1827d099fa464ab6ced046d24962de7ba

          SHA256

          07ed340a37a9fd47a5a98a386b3d58b262bde3f7a4a0dc780a63d3c2d81abe2f

          SHA512

          962693b864d0d2ac71759a56815a427a858a174fa0495114fb9abdca0d02402584473c466f0c650bbd77e163355ab415951a7daa3752073158f45dfa612f8c5f

          Download Submit

        • \Users\Admin\AppData\Roaming\csrss.exe
          Filesize

          102KB

          MD5

          9d348dc7131d3ac0d745e7b51909ff42

          SHA1

          06e367142435f0e084641bfaf5479e884f6ec904

          SHA256

          e6fbccdb81b4f21153179b2de90e55d57151bbb11517ae8c1b9ba38a257b51f1

          SHA512

          be6254e921fad7c22fc3edc7a5452c1f1441f5250a3ffd9d5df93c2fb16a6bfe6a9a6b24d29ec8529c72bb4bc29d65dff6c42e9b3b23613096b0966bec41afd6

          Download Submit

        • \Users\Admin\AppData\Roaming\csrss.exe
          Filesize

          102KB

          MD5

          9d348dc7131d3ac0d745e7b51909ff42

          SHA1

          06e367142435f0e084641bfaf5479e884f6ec904

          SHA256

          e6fbccdb81b4f21153179b2de90e55d57151bbb11517ae8c1b9ba38a257b51f1

          SHA512

          be6254e921fad7c22fc3edc7a5452c1f1441f5250a3ffd9d5df93c2fb16a6bfe6a9a6b24d29ec8529c72bb4bc29d65dff6c42e9b3b23613096b0966bec41afd6

          Download Submit

        • memory/1360-94-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1360-98-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1460-54-0x0000000075831000-0x0000000075833000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1460-62-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1460-61-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1460-92-0x0000000002230000-0x000000000226A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1460-93-0x0000000002230000-0x000000000226A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1460-95-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1460-56-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1460-55-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download