Analysis
-
max time kernel
101s -
max time network
127s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-05-2021 19:03
Static task
static1
Behavioral task
behavioral1
Sample
7268e57a354c49482b14d239632cfd73.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
7268e57a354c49482b14d239632cfd73.exe
Resource
win10v20210410
General
-
Target
7268e57a354c49482b14d239632cfd73.exe
-
Size
381KB
-
MD5
7268e57a354c49482b14d239632cfd73
-
SHA1
8d42017b64c9d4060c56f5916bd70c6f42515d13
-
SHA256
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
-
SHA512
e0cab9d4b5b39a5202790dd5ca634e9e15dae583fa7071186f787183e9bcf01c5264265660572d9de226108a308136e8a9d8340569826abc4d9fe1644223c297
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
7268e57a354c49482b14d239632cfd73.tmppid process 1292 7268e57a354c49482b14d239632cfd73.tmp -
Loads dropped DLL 4 IoCs
Processes:
7268e57a354c49482b14d239632cfd73.exe7268e57a354c49482b14d239632cfd73.tmppid process 1612 7268e57a354c49482b14d239632cfd73.exe 1292 7268e57a354c49482b14d239632cfd73.tmp 1292 7268e57a354c49482b14d239632cfd73.tmp 1292 7268e57a354c49482b14d239632cfd73.tmp -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ipinfo.io 6 ipinfo.io -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7268e57a354c49482b14d239632cfd73.tmppid process 1292 7268e57a354c49482b14d239632cfd73.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
7268e57a354c49482b14d239632cfd73.exedescription pid process target process PID 1612 wrote to memory of 1292 1612 7268e57a354c49482b14d239632cfd73.exe 7268e57a354c49482b14d239632cfd73.tmp PID 1612 wrote to memory of 1292 1612 7268e57a354c49482b14d239632cfd73.exe 7268e57a354c49482b14d239632cfd73.tmp PID 1612 wrote to memory of 1292 1612 7268e57a354c49482b14d239632cfd73.exe 7268e57a354c49482b14d239632cfd73.tmp PID 1612 wrote to memory of 1292 1612 7268e57a354c49482b14d239632cfd73.exe 7268e57a354c49482b14d239632cfd73.tmp PID 1612 wrote to memory of 1292 1612 7268e57a354c49482b14d239632cfd73.exe 7268e57a354c49482b14d239632cfd73.tmp PID 1612 wrote to memory of 1292 1612 7268e57a354c49482b14d239632cfd73.exe 7268e57a354c49482b14d239632cfd73.tmp PID 1612 wrote to memory of 1292 1612 7268e57a354c49482b14d239632cfd73.exe 7268e57a354c49482b14d239632cfd73.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\7268e57a354c49482b14d239632cfd73.exe"C:\Users\Admin\AppData\Local\Temp\7268e57a354c49482b14d239632cfd73.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\is-LDVRV.tmp\7268e57a354c49482b14d239632cfd73.tmp"C:\Users\Admin\AppData\Local\Temp\is-LDVRV.tmp\7268e57a354c49482b14d239632cfd73.tmp" /SL5="$9015C,138429,56832,C:\Users\Admin\AppData\Local\Temp\7268e57a354c49482b14d239632cfd73.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1292
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
MD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
MD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
MD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
MD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df