Analysis
-
max time kernel
14s -
max time network
79s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-06-2021 18:52
Static task
static1
Behavioral task
behavioral1
Sample
467e17b8d44626b7456716680e3d043d.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
467e17b8d44626b7456716680e3d043d.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
467e17b8d44626b7456716680e3d043d.exe
-
Size
349KB
-
MD5
467e17b8d44626b7456716680e3d043d
-
SHA1
6636511ae14abb0f2554199b4ed8977def1d9b8a
-
SHA256
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
-
SHA512
5f3a0f47bfe3f1784849c9ddedc30e489b5d37cbb0a73c488ab58efc7a777d0d5e0c5a5abef63661166003b623224d6990b8baa160d6e398dc804b4c2fb941a7
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "C:\\Users\\Admin\\AppData\\Local\\Adobe Reader.exe" reg.exe -
Modifies registry class 1 IoCs
Processes:
calc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings calc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 520 OpenWith.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
467e17b8d44626b7456716680e3d043d.execmd.exedescription pid process target process PID 808 wrote to memory of 3304 808 467e17b8d44626b7456716680e3d043d.exe cmd.exe PID 808 wrote to memory of 3304 808 467e17b8d44626b7456716680e3d043d.exe cmd.exe PID 808 wrote to memory of 3304 808 467e17b8d44626b7456716680e3d043d.exe cmd.exe PID 3304 wrote to memory of 3036 3304 cmd.exe reg.exe PID 3304 wrote to memory of 3036 3304 cmd.exe reg.exe PID 3304 wrote to memory of 3036 3304 cmd.exe reg.exe PID 808 wrote to memory of 2432 808 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 808 wrote to memory of 2432 808 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 808 wrote to memory of 2432 808 467e17b8d44626b7456716680e3d043d.exe calc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\467e17b8d44626b7456716680e3d043d.exe"C:\Users\Admin\AppData\Local\Temp\467e17b8d44626b7456716680e3d043d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\467e17b8d44626b7456716680e3d043d.exe" "C:\Users\%username%\AppData\Local\Adobe Reader.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Reader.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Adobe Reader.exe"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"2⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx