Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 02:34
Static task
static1
Behavioral task
behavioral1
Sample
badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe
Resource
win10v20210410
General
-
Target
badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe
-
Size
220KB
-
MD5
bb68d00e0de6d123328afb4532a01979
-
SHA1
5c09f5b4f318243f8e06da31ca4db1956d7934fa
-
SHA256
badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697
-
SHA512
04355b8aa106a2ab939afe4813e3e6b3ca8d246be6133b9440bca9939536cf77976a4b67ad83a56e77e8876869e1dfe2875e7d55ada3e5acbde3a7bf4b448a26
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exepid process 4452 badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exepid process 4452 badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exepid process 4452 badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe 4452 badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe"C:\Users\Admin\AppData\Local\Temp\badbbc572435a7bfb674faf5ddd5b25c1d7a85b95c5c1458d1c0aab89587f697.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:4452