Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 07:37
Static task
static1
Behavioral task
behavioral1
Sample
aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
Resource
win10v20210408
General
-
Target
aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
-
Size
161KB
-
MD5
7192c0bd9f8bc32f896405258120c991
-
SHA1
a85b84c35c3178c50dd22e77a0f3872158b16208
-
SHA256
aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f
-
SHA512
2382ce453b1299c5e6765faf9e800baceec93b23ce05443dc726f15f515003bc17d41e4ed4c236566ab802a2647e4021ebd5c612d4c51a1d02dcbedf553e3c36
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\7994 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccvvauzc.com" msiexec.exe -
Blocklisted process makes network request 37 IoCs
Processes:
msiexec.exeflow pid process 5 1240 msiexec.exe 6 1240 msiexec.exe 7 1240 msiexec.exe 8 1240 msiexec.exe 9 1240 msiexec.exe 10 1240 msiexec.exe 11 1240 msiexec.exe 12 1240 msiexec.exe 13 1240 msiexec.exe 14 1240 msiexec.exe 15 1240 msiexec.exe 16 1240 msiexec.exe 17 1240 msiexec.exe 18 1240 msiexec.exe 19 1240 msiexec.exe 20 1240 msiexec.exe 21 1240 msiexec.exe 22 1240 msiexec.exe 23 1240 msiexec.exe 24 1240 msiexec.exe 25 1240 msiexec.exe 26 1240 msiexec.exe 27 1240 msiexec.exe 28 1240 msiexec.exe 29 1240 msiexec.exe 30 1240 msiexec.exe 31 1240 msiexec.exe 32 1240 msiexec.exe 33 1240 msiexec.exe 34 1240 msiexec.exe 35 1240 msiexec.exe 36 1240 msiexec.exe 37 1240 msiexec.exe 38 1240 msiexec.exe 39 1240 msiexec.exe 40 1240 msiexec.exe 41 1240 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exedescription pid process target process PID 1756 set thread context of 1328 1756 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File created C:\PROGRA~3\LOCALS~1\Temp\ccvvauzc.com msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exepid process 1328 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe 1328 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exeaaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exedescription pid process target process PID 1756 wrote to memory of 1328 1756 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe PID 1756 wrote to memory of 1328 1756 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe PID 1756 wrote to memory of 1328 1756 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe PID 1756 wrote to memory of 1328 1756 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe PID 1756 wrote to memory of 1328 1756 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe PID 1756 wrote to memory of 1328 1756 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe PID 1756 wrote to memory of 1328 1756 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe PID 1328 wrote to memory of 1240 1328 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe msiexec.exe PID 1328 wrote to memory of 1240 1328 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe msiexec.exe PID 1328 wrote to memory of 1240 1328 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe msiexec.exe PID 1328 wrote to memory of 1240 1328 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe msiexec.exe PID 1328 wrote to memory of 1240 1328 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe msiexec.exe PID 1328 wrote to memory of 1240 1328 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe msiexec.exe PID 1328 wrote to memory of 1240 1328 aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe"C:\Users\Admin\AppData\Local\Temp\aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe"C:\Users\Admin\AppData\Local\Temp\aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\msiexec.exeC:\Windows\syswow64\msiexec.exe3⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1240-61-0x0000000000000000-mapping.dmp
-
memory/1240-62-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1240-64-0x0000000000810000-0x0000000000824000-memory.dmpFilesize
80KB
-
memory/1240-65-0x00000000001C0000-0x00000000001C5000-memory.dmpFilesize
20KB
-
memory/1328-60-0x0000000000407930-mapping.dmp
-
memory/1328-59-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1328-63-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB