Analysis
-
max time kernel
131s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-04-2021 06:13
Static task
static1
Behavioral task
behavioral1
Sample
e533bf0348f9a5c018fc4eaea2b4138d.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
e533bf0348f9a5c018fc4eaea2b4138d.exe
Resource
win10v20210410
General
-
Target
e533bf0348f9a5c018fc4eaea2b4138d.exe
-
Size
440KB
-
MD5
e533bf0348f9a5c018fc4eaea2b4138d
-
SHA1
17d0fd9f96bf5759997197237deedbd37cad3c15
-
SHA256
a7d4ad5e6eedf5be0ad6f9ffc704827b7c1e9aeb12d440c847031af8d4d1f7b1
-
SHA512
a5483525cc05208cf506b4af2313e49c16896c33903210a9d3975b78e00af825bfe6d73e57ca69aeb300d2bd2a1d47ce3ee6394c4eaf422b7aaa5ff97a0fbef3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
11299.exepid process 188 11299.exe -
Deletes itself 1 IoCs
Processes:
11299.exepid process 188 11299.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e533bf0348f9a5c018fc4eaea2b4138d.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run e533bf0348f9a5c018fc4eaea2b4138d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{0B448A1A-A7ED-4CA4-8FD3-496E22C778AD} = "C:\\ProgramData\\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\\11299.exe" e533bf0348f9a5c018fc4eaea2b4138d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11299.exedescription pid process Token: SeDebugPrivilege 188 11299.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
e533bf0348f9a5c018fc4eaea2b4138d.exedescription pid process target process PID 3560 wrote to memory of 188 3560 e533bf0348f9a5c018fc4eaea2b4138d.exe 11299.exe PID 3560 wrote to memory of 188 3560 e533bf0348f9a5c018fc4eaea2b4138d.exe 11299.exe PID 3560 wrote to memory of 188 3560 e533bf0348f9a5c018fc4eaea2b4138d.exe 11299.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e533bf0348f9a5c018fc4eaea2b4138d.exe"C:\Users\Admin\AppData\Local\Temp\e533bf0348f9a5c018fc4eaea2b4138d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe"C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exeMD5
e533bf0348f9a5c018fc4eaea2b4138d
SHA117d0fd9f96bf5759997197237deedbd37cad3c15
SHA256a7d4ad5e6eedf5be0ad6f9ffc704827b7c1e9aeb12d440c847031af8d4d1f7b1
SHA512a5483525cc05208cf506b4af2313e49c16896c33903210a9d3975b78e00af825bfe6d73e57ca69aeb300d2bd2a1d47ce3ee6394c4eaf422b7aaa5ff97a0fbef3
-
C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exeMD5
e533bf0348f9a5c018fc4eaea2b4138d
SHA117d0fd9f96bf5759997197237deedbd37cad3c15
SHA256a7d4ad5e6eedf5be0ad6f9ffc704827b7c1e9aeb12d440c847031af8d4d1f7b1
SHA512a5483525cc05208cf506b4af2313e49c16896c33903210a9d3975b78e00af825bfe6d73e57ca69aeb300d2bd2a1d47ce3ee6394c4eaf422b7aaa5ff97a0fbef3
-
C:\Users\Admin\AppData\Local\Temp\B91F1F35505F49E79F553176MD5
4d8afa43b39a0ca1af1a8442c575af63
SHA1aeae417fb0795e23cf1a1f04696072f6c2f998ac
SHA2564c0818d272b71aa2c721a5003a0b69cfa0d37610860ff525df5303f366a97db4
SHA512db1446e73ced316f95c33a984b4ff8d2578e3652b9ededa7fd0f3950d687d8011f4005b72d297e65db700b7172c439424c36a0a8f21e0e8e0e58d0107130d58a
-
memory/188-114-0x0000000000000000-mapping.dmp
-
memory/188-120-0x0000000000570000-0x00000000005BD000-memory.dmpFilesize
308KB
-
memory/188-121-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/3560-119-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/3560-118-0x00000000004A0000-0x00000000005EA000-memory.dmpFilesize
1.3MB