Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
23-03-2023 10:10
General
-
Target
EhStorAuthn.exe
-
Size
23KB
-
MD5
5db4494b7f47b0ff63c7ca90c155bcdd
-
SHA1
3f54f5f22c2232d5296440224c9c6ea7c81c86cf
-
SHA256
dc7dbc1ff34054c90a76a99c5a22fc99b8f6de49ab88f52c43c91c4e66dbcf47
-
SHA512
2f471ef4fa5b3ba46dc46f0e84eebf5af8397feb760b896af34be62f25f575242411d7d0bfd6764669346ee4a3ff6e934bbef6349dfdb47b5e889d3c2a9520f3
-
SSDEEP
384:CAI0+Fkm7SWZZYO5uez+b+hCNzfdZvJQ6tjOvRNztn9Rs0N1uy1mXpXWh9mWsm:CAI0+FNSW3YO5z+b+hCFfHJFO5RBFNse
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\EhStorAuthn.exe"C:\Users\Admin\AppData\Local\Temp\EhStorAuthn.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
-
C:\Windows\ywkkso.exeC:\Windows\ywkkso.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5de61de242b5500304af17e4661100ea5
SHA1ed6c1fce0696ce100a93f2d3cea83a0475947e4f
SHA2563c373fde7222d1e3c5a13339d37f3b5752374210ae09974b4f17baa261c3b9a5
SHA512b393464bfd694bb314cf9c8f3d19ab6750cc65d9e3506c1b91a8658a227e9f8614b1f65b8eaa7b7e844d7308b450e690627e3eb1a8101ca80917c62233d1473f
-
Filesize
23KB
MD55db4494b7f47b0ff63c7ca90c155bcdd
SHA13f54f5f22c2232d5296440224c9c6ea7c81c86cf
SHA256dc7dbc1ff34054c90a76a99c5a22fc99b8f6de49ab88f52c43c91c4e66dbcf47
SHA5122f471ef4fa5b3ba46dc46f0e84eebf5af8397feb760b896af34be62f25f575242411d7d0bfd6764669346ee4a3ff6e934bbef6349dfdb47b5e889d3c2a9520f3
-
Filesize
23KB
MD55db4494b7f47b0ff63c7ca90c155bcdd
SHA13f54f5f22c2232d5296440224c9c6ea7c81c86cf
SHA256dc7dbc1ff34054c90a76a99c5a22fc99b8f6de49ab88f52c43c91c4e66dbcf47
SHA5122f471ef4fa5b3ba46dc46f0e84eebf5af8397feb760b896af34be62f25f575242411d7d0bfd6764669346ee4a3ff6e934bbef6349dfdb47b5e889d3c2a9520f3
-
Filesize
12KB
MD5de61de242b5500304af17e4661100ea5
SHA1ed6c1fce0696ce100a93f2d3cea83a0475947e4f
SHA2563c373fde7222d1e3c5a13339d37f3b5752374210ae09974b4f17baa261c3b9a5
SHA512b393464bfd694bb314cf9c8f3d19ab6750cc65d9e3506c1b91a8658a227e9f8614b1f65b8eaa7b7e844d7308b450e690627e3eb1a8101ca80917c62233d1473f
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB