Overview

overview

10

Static

static

1

gunzipped.exe

windows7-x64

3

gunzipped.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26-04-2024 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gunzipped.exe

  • Size

    688KB

  • MD5

    4b905e6548f4d5040fab8962cb71877e

  • SHA1

    15c3785700d10e32ce7e17d706194dd9baa8442a

  • SHA256

    6fd2687a66899aa63357f7434a418b2bd873eebda9520129b20fd3e7e889ced1

  • SHA512

    75beefb8e58cc71f433980ceb6ff74c022d35332037b905e9e6644e09dea33ba36b41dd4c8e1e6874f302208fccd93ad258c74d09c08828d65bf7661026a3cad

  • SSDEEP

    12288:6jqnHvjNIrpf9rN/mc/CPV77Qykhe+AK9hCqAZHApvF1sdsgTWEmBuPg6AbTokR:6GPjKr5BNDAF7GAKeZHApvFWdsisBuoT

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
    "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mPvIOxEZXJsdYp.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F90.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2088
    • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
      "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
      2⤵
        PID:2668
      • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
        "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
        2⤵
          PID:2600
        • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
          "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
          2⤵
            PID:2560
          • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
            "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
            2⤵
              PID:2656
            • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
              "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
              2⤵
                PID:2632

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp3F90.tmp
              Filesize

              1KB

              MD5

              5d32ece9e09cdb3443a3b7b573d2d9b2

              SHA1

              efad8b22e19b341cbe1f888ba0068236ef404f85

              SHA256

              256f9172fc103484fe3369b26e8ff60eb73aad60a97b177433f29b157ffa762e

              SHA512

              ec8a5c6ba9a43d9d68a6f34a5717a28d821eafc09d4aacaf5cf434e96233df3c8b219924710ecec1bea0d0096c16d809ab3b9114013c94a40d5a46fcad87621b

              Download Submit

            • memory/2076-3-0x0000000002130000-0x0000000002150000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2076-2-0x0000000004850000-0x0000000004890000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2076-0-0x0000000000150000-0x00000000001FE000-memory.dmp

              Filesize

              696KB

              Download

            • memory/2076-4-0x0000000001FE0000-0x0000000001FF4000-memory.dmp

              Filesize

              80KB

              Download

            • memory/2076-5-0x0000000004E30000-0x0000000004E92000-memory.dmp

              Filesize

              392KB

              Download

            • memory/2076-1-0x0000000073F30000-0x000000007461E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2076-14-0x0000000073F30000-0x000000007461E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2740-13-0x000000006E300000-0x000000006E8AB000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2740-15-0x0000000002B20000-0x0000000002B60000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2740-16-0x000000006E300000-0x000000006E8AB000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2740-17-0x0000000002B20000-0x0000000002B60000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2740-18-0x000000006E300000-0x000000006E8AB000-memory.dmp

              Filesize

              5.7MB

              Download