Overview

overview

10

Static

static

1

gunzipped.exe

windows7-x64

8

gunzipped.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 03:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gunzipped.exe

  • Size

    495KB

  • MD5

    ab366b2f1f6b791e92161ee4fdac7390

  • SHA1

    921f4995c0a12dfc275725a92ba101098d348ea5

  • SHA256

    fb21baf4e0854d03627b5c34a36688dedb2ce4de6fc9b6ec90188f55b33dbb98

  • SHA512

    05b16a84b1eb00196c5473fcf92bdbdcacb91d12504f45c2e36a372b6964d43bf4655636a3fbd4b758c78390505802a6b9a7f6dd9fbb2981e6d577c582b6db91

  • SSDEEP

    12288:FhHh3fYi/b8j3G4xTyjJh6jwtCSEijprUe1c9i72lMkR:V3fJjU3ZTo1E1yckE7

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
    "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2364
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YrEHwmJ.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YrEHwmJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA40.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2480
    • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
      "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
      2⤵
        PID:2704
      • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
        "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
        2⤵
          PID:2828
        • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
          "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
          2⤵
            PID:2776
          • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
            "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
            2⤵
              PID:2620
            • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
              "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
              2⤵
                PID:2232

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpEA40.tmp
              Filesize

              1KB

              MD5

              d7c133e171704497a3cf92b864917696

              SHA1

              dc7c214a89d19261d2c9033f52b3b93fe991fddf

              SHA256

              9b65ac38f3cee60ecb2f856474fcc07edf92b813a4169fdd76b40c0585fd0391

              SHA512

              a0d77000a7c6dfc8d42efda17cda15a07bb179dbbb0a42fa72c1708584fe05a01769989c9f1c4411c1fe277ec521cc6b38fdc9e5cffaa4a2852b6a092f2a6f17

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A6CSCYQNBFUV6Y5C32I2.temp
              Filesize

              7KB

              MD5

              950ef6b4924df856b0fe291b6a53e212

              SHA1

              1e28c1203217b6cb54c5231941a2a332443c068d

              SHA256

              68f581da736afdeaa50c3b2e1dcb0e487e12f74a13ded1b3fc2bec0ba27577a9

              SHA512

              6d2ed7b9e1e5205e2b4d4dc16beb27e11f4e978a88a4194c57a271825a6e4745200547846b7a09af67dd4ce251edafb3ca33e3e3403bd6cb74d001982c713a8e

              Download Submit

            • memory/2296-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2296-1-0x00000000003F0000-0x000000000046E000-memory.dmp

              Filesize

              504KB

              Download

            • memory/2296-2-0x00000000747A0000-0x0000000074E8E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2296-3-0x00000000003E0000-0x00000000003F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2296-4-0x00000000747AE000-0x00000000747AF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2296-5-0x00000000747A0000-0x0000000074E8E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2296-6-0x0000000004F30000-0x0000000004F92000-memory.dmp

              Filesize

              392KB

              Download

            • memory/2296-19-0x00000000747A0000-0x0000000074E8E000-memory.dmp

              Filesize

              6.9MB

              Download