d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21-08-2023 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe
Size

15.6MB
MD5

7f05d5349410fd9a46c96a2d21378ac3
SHA1

e2c962cfe695503dc8c6f82d8986738503b7fb38
SHA256

d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe
SHA512

59b5e67b1e5deb43c5936002040d9ff8a1453ddb8ae115a80cdba9a66281d4f9824b8a22d84fb8dfe32460a93b484d95f57978995e7f01a793fc54fee9c9a40e
SSDEEP

393216:9OhUh8cB7XqbwdTf+6EWCgGlYr/8RIkVJUpqxO0QJC:omabwdTf+5li2bJUpt0R

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2608-98-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-100-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-102-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-103-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-104-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-107-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-110-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-113-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-115-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-117-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-119-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-121-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-125-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-127-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-129-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2608-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe
2608	d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe

C:\Users\Admin\AppData\Local\Temp\d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe
"C:\Users\Admin\AppData\Local\Temp\d1c85648be1c7edcd511fe27a8ed34ebb178a72b11e2a58ef81d84b4f316b6fe.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll

Filesize
8.4MB

MD5
8b6c94bbdbfb213e94a5dcb4fac28ce3

SHA1
b56102ca4f03556f387f8b30e2b404efabe0cb65

SHA256
982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53

SHA512
9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

Download Submit
memory/2608-98-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-129-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-59-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2608-60-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2608-63-0x0000000000400000-0x000000000242C000-memory.dmp

Filesize
32.2MB

Download
memory/2608-62-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2608-57-0x0000000000400000-0x000000000242C000-memory.dmp

Filesize
32.2MB

Download
memory/2608-70-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2608-68-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2608-73-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2608-75-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2608-78-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2608-80-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2608-83-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2608-86-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2608-88-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2608-85-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2608-100-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-65-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2608-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2608-90-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2608-102-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-103-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-104-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-107-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-110-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-113-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-115-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-117-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-119-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-121-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-122-0x0000000000400000-0x000000000242C000-memory.dmp

Filesize
32.2MB

Download
memory/2608-125-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-127-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2608-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-151-0x00000000045D0000-0x0000000004629000-memory.dmp

Filesize
356KB

Download
memory/2608-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2608-153-0x0000000000400000-0x000000000242C000-memory.dmp

Filesize
32.2MB

Download
memory/2608-154-0x00000000045D0000-0x0000000004629000-memory.dmp

Filesize
356KB

Download