eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe
Size

203KB
MD5

ca2a3f209be25a8ebb65bda3979d1ac7
SHA1

d888b31a18e0dca50fdc7f878f864a6c1ec5d5fe
SHA256

eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3
SHA512

f574324a7f58d6ffee5b02760ca6038e6567df991da67eba1780e06e8b2f893f3a7952ded57f842f9717ceaf55874d3bfa410846fa4e0c4ffa429382144855c8
SSDEEP

6144:Dz1xOecgEnOxUwWz1w4mcH+dZvF4lBFusBQY:31seJzWz1l+LIp

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1632	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2448-0-0x00000000009B0000-0x0000000000A47000-memory.dmp	upx
behavioral1/memory/2448-30-0x00000000009B0000-0x0000000000A47000-memory.dmp	upx
behavioral1/memory/2448-40-0x00000000009B0000-0x0000000000A47000-memory.dmp	upx
behavioral1/memory/2448-41-0x00000000009B0000-0x0000000000A47000-memory.dmp	upx

Blocklisted process makes network request 8 IoCs

flow	pid	Process
5	2744	msiexec.exe
6	2744	msiexec.exe
8	2744	msiexec.exe
12	2744	msiexec.exe
14	2744	msiexec.exe
15	2744	msiexec.exe
18	2744	msiexec.exe
21	2744	msiexec.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsShell4442.log	msiexec.exe
File opened for modification	C:\Windows\WindowTerminalVaild81.log	msiexec.exe
File opened for modification	C:\Windows\WindowMicrosoftNET042.log	msiexec.exe
File opened for modification	C:\Windows\WindowsShell87333.log	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate822.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2356	2616	WerFault.exe	28
2628	3004	WerFault.exe	36

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe
Token: SeDebugPrivilege	2744	msiexec.exe
Token: SeIncBasePriorityPrivilege	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe
Token: SeDebugPrivilege	2744	msiexec.exe
Token: SeDebugPrivilege	2744	msiexec.exe
Token: SeDebugPrivilege	2744	msiexec.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2616	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	28
PID 2448 wrote to memory of 2616	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	28
PID 2448 wrote to memory of 2616	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	28
PID 2448 wrote to memory of 2616	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	28
PID 2448 wrote to memory of 2616	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	28
PID 2448 wrote to memory of 2616	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	28
PID 2448 wrote to memory of 2616	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	28
PID 2616 wrote to memory of 2356	2616	TRACERT.EXE	30
PID 2616 wrote to memory of 2356	2616	TRACERT.EXE	30
PID 2616 wrote to memory of 2356	2616	TRACERT.EXE	30
PID 2616 wrote to memory of 2356	2616	TRACERT.EXE	30
PID 2448 wrote to memory of 2744	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	31
PID 2448 wrote to memory of 2744	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	31
PID 2448 wrote to memory of 2744	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	31
PID 2448 wrote to memory of 2744	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	31
PID 2448 wrote to memory of 2744	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	31
PID 2448 wrote to memory of 2744	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	31
PID 2448 wrote to memory of 2744	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	31
PID 2448 wrote to memory of 2744	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	31
PID 2448 wrote to memory of 2744	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	31
PID 2448 wrote to memory of 2744	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	31
PID 2448 wrote to memory of 1632	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	32
PID 2448 wrote to memory of 1632	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	32
PID 2448 wrote to memory of 1632	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	32
PID 2448 wrote to memory of 1632	2448	eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe	32
PID 2744 wrote to memory of 3004	2744	msiexec.exe	36
PID 2744 wrote to memory of 3004	2744	msiexec.exe	36
PID 2744 wrote to memory of 3004	2744	msiexec.exe	36
PID 2744 wrote to memory of 3004	2744	msiexec.exe	36
PID 2744 wrote to memory of 3004	2744	msiexec.exe	36
PID 2744 wrote to memory of 3004	2744	msiexec.exe	36
PID 2744 wrote to memory of 3004	2744	msiexec.exe	36
PID 3004 wrote to memory of 2628	3004	Robocopy.exe	38
PID 3004 wrote to memory of 2628	3004	Robocopy.exe	38
PID 3004 wrote to memory of 2628	3004	Robocopy.exe	38
PID 3004 wrote to memory of 2628	3004	Robocopy.exe	38
PID 2744 wrote to memory of 3004	2744	msiexec.exe	36
PID 2744 wrote to memory of 3004	2744	msiexec.exe	36
PID 2744 wrote to memory of 3004	2744	msiexec.exe	36

C:\Users\Admin\AppData\Local\Temp\eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe
"C:\Users\Admin\AppData\Local\Temp\eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\TRACERT.EXE
  "C:\Windows\SysWOW64\TRACERT.EXE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 104
    3⤵
    - Program crash
    PID:2356
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\Robocopy.exe
    "C:\Windows\SysWOW64\Robocopy.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 148
      4⤵
      Program crash
      PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EEF7B8~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WindowSystemNewUpdate822.log

Filesize
5KB

MD5
176b1e27271c721dc3b98a28bac322bf

SHA1
dbdfb73bc93d419bee11ee4e156285a93d269866

SHA256
ef83b683c50af7d9e4dbde8649925646220cc9620eac49d78e150db08fe7f394

SHA512
78e3e9a47a97feb3049484cddc25b89edb7021bf5404c88ce10c853a8ef3b3e76204062506617b2603b5f1509960086253e41233748a0db9ff75dea7a702f66d

Download Submit
memory/2448-30-0x00000000009B0000-0x0000000000A47000-memory.dmp

Filesize
604KB

Download
memory/2448-0-0x00000000009B0000-0x0000000000A47000-memory.dmp

Filesize
604KB

Download
memory/2448-41-0x00000000009B0000-0x0000000000A47000-memory.dmp

Filesize
604KB

Download
memory/2448-40-0x00000000009B0000-0x0000000000A47000-memory.dmp

Filesize
604KB

Download
memory/2616-2-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2616-3-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2616-4-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2616-6-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2744-15-0x0000000000160000-0x000000000017B000-memory.dmp

Filesize
108KB

Download
memory/2744-13-0x0000000000090000-0x00000000000F7000-memory.dmp

Filesize
412KB

Download
memory/2744-18-0x0000000000160000-0x000000000017B000-memory.dmp

Filesize
108KB

Download
memory/2744-19-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2744-48-0x0000000003700000-0x0000000003BEB000-memory.dmp

Filesize
4.9MB

Download
memory/2744-58-0x00000000001D0000-0x0000000000208000-memory.dmp

Filesize
224KB

Download
memory/2744-69-0x0000000002BF0000-0x0000000002C57000-memory.dmp

Filesize
412KB

Download
memory/2744-17-0x0000000000160000-0x000000000017B000-memory.dmp

Filesize
108KB

Download
memory/3004-88-0x0000000000080000-0x000000000009F000-memory.dmp

Filesize
124KB

Download
memory/3004-102-0x0000000000080000-0x000000000009F000-memory.dmp

Filesize
124KB

Download
memory/3004-104-0x0000000000080000-0x000000000009F000-memory.dmp

Filesize
124KB

Download
memory/3004-114-0x0000000002600000-0x0000000002C04000-memory.dmp

Filesize
6.0MB

Download
memory/3004-116-0x0000000002600000-0x0000000002C04000-memory.dmp

Filesize
6.0MB

Download
memory/3004-118-0x0000000002600000-0x0000000002C04000-memory.dmp

Filesize
6.0MB

Download
memory/3004-120-0x0000000002600000-0x0000000002C04000-memory.dmp

Filesize
6.0MB

Download
memory/3004-91-0x0000000000080000-0x000000000009F000-memory.dmp

Filesize
124KB

Download