Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14-02-2024 16:14
General
-
Target
-
Size
9.5MB
-
MD5
ead881eae554084a45f040f9025c2136
-
SHA1
d62e30cb9546fc92d4cfefdc0e445ef5d35cd95e
-
SHA256
f19d43f2e5ff058a0aff3bfc429688816ee5e78cf82dcd1a68e655715c4ca38f
-
SHA512
22f4eb6842fbfe28d700163fa6a0cc8478e6a311fbdd2540d6070e296cb1fea741bdeeef45352cc06d16a147431a53fc620c9b16a5c9369987f2536f86f60edf
-
SSDEEP
196608:yDoFldQmRrdA6lsuErSEEJw/aw2c8Ft1L4ij0W8/La9zYPQZo073:WodQOls+9Joaw2h4BW8Uz3v7
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1616 [email protected] -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1816 ehshell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1816 ehshell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2072 wrote to memory of 1616 2072 [email protected] 28 PID 2072 wrote to memory of 1616 2072 [email protected] 28 PID 2072 wrote to memory of 1616 2072 [email protected] 28 PID 1816 wrote to memory of 2080 1816 ehshell.exe 30 PID 1816 wrote to memory of 2080 1816 ehshell.exe 30 PID 1816 wrote to memory of 2080 1816 ehshell.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1616
-
-
C:\Windows\ehome\ehshell.exe"C:\Windows\ehome\ehshell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 12602⤵PID:2080
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD588bcbdeabe2b0fb899ca7d731ef208e9
SHA1a347ef876c339bbaf74ffd1cae935c23d8c58d22
SHA256b2d7b38f977b0bff2c4e318f78d6a890a136ad04134e64fa2a37e5189df510ac
SHA51209af644d912a90502a982e26fca05220c8b2a467b3d528344e1143e0a38c5b286797cbf3c5e6b67a874819da1eacba18c5d3288531d8f76fd6bde471c2d56f4a
-
Filesize
5.5MB
MD5a72993488cecd88b3e19487d646f88f6
SHA15d359f4121e0be04a483f9ad1d8203ffc958f9a0
SHA256aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038
SHA512c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38