Analysis
-
max time kernel
20s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 14:50
Static task
static1
Behavioral task
behavioral1
Sample
4aeb49bf7e23aab664de914df204664f.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
4aeb49bf7e23aab664de914df204664f.exe
Resource
win10-en-20210920
General
-
Target
4aeb49bf7e23aab664de914df204664f.exe
-
Size
120KB
-
MD5
4aeb49bf7e23aab664de914df204664f
-
SHA1
a9a80ec2e9ea803aa8db80aac266826304916dbf
-
SHA256
d11342ce9c7550e129e455126cb6373145ea86ae5ee777a652205541ef4cec2c
-
SHA512
494bb1b3b713ca9592568dc58b27696f64b727dbdcd03f646f3a57235ffbe5a6ffde659bcef7fa13b7ebd854fd67ba8dd5fb0e23c1bcbf2d661896ebc23bf57e
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
4aeb49bf7e23aab664de914df204664f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 4aeb49bf7e23aab664de914df204664f.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
4aeb49bf7e23aab664de914df204664f.exepid process 2524 4aeb49bf7e23aab664de914df204664f.exe -
Drops file in Windows directory 1 IoCs
Processes:
4aeb49bf7e23aab664de914df204664f.exedescription ioc process File opened for modification C:\Windows\svchost.com 4aeb49bf7e23aab664de914df204664f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
4aeb49bf7e23aab664de914df204664f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 4aeb49bf7e23aab664de914df204664f.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
4aeb49bf7e23aab664de914df204664f.exepid process 2524 4aeb49bf7e23aab664de914df204664f.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
4aeb49bf7e23aab664de914df204664f.exedescription pid process target process PID 2168 wrote to memory of 2524 2168 4aeb49bf7e23aab664de914df204664f.exe 4aeb49bf7e23aab664de914df204664f.exe PID 2168 wrote to memory of 2524 2168 4aeb49bf7e23aab664de914df204664f.exe 4aeb49bf7e23aab664de914df204664f.exe PID 2168 wrote to memory of 2524 2168 4aeb49bf7e23aab664de914df204664f.exe 4aeb49bf7e23aab664de914df204664f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4aeb49bf7e23aab664de914df204664f.exe"C:\Users\Admin\AppData\Local\Temp\4aeb49bf7e23aab664de914df204664f.exe"1⤵
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\4aeb49bf7e23aab664de914df204664f.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\4aeb49bf7e23aab664de914df204664f.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\4aeb49bf7e23aab664de914df204664f.exeMD5
c666c22685d135c1efe709cbedd0eb6b
SHA10da7aed60d8a194da98c44cd5ad76efc57e00dff
SHA256a393c2aa773ef090f5e907c90c5cf90d67c2b6db2a2ffedac0b75c748f3a7b45
SHA5126430a0ec3002777df9357463eb3f1c279b5e4b1778bc8ff77140c947d484e8d5d17dd268c3744008d0cb52fcd58232489c2a8335e816462b1d35f11949f8fea8
-
C:\Users\Admin\AppData\Local\Temp\3582-490\4aeb49bf7e23aab664de914df204664f.exeMD5
c666c22685d135c1efe709cbedd0eb6b
SHA10da7aed60d8a194da98c44cd5ad76efc57e00dff
SHA256a393c2aa773ef090f5e907c90c5cf90d67c2b6db2a2ffedac0b75c748f3a7b45
SHA5126430a0ec3002777df9357463eb3f1c279b5e4b1778bc8ff77140c947d484e8d5d17dd268c3744008d0cb52fcd58232489c2a8335e816462b1d35f11949f8fea8
-
memory/2524-115-0x0000000000000000-mapping.dmp
-
memory/2524-120-0x00000000029E0000-0x00000000029EF000-memory.dmpFilesize
60KB