Analysis
-
max time kernel
146s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
01-12-2021 17:27
Static task
static1
Behavioral task
behavioral1
Sample
x.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
x.exe
Resource
win10-en-20211014
General
-
Target
x.exe
-
Size
356KB
-
MD5
9b45ab810d3fc0ddc2274c744de9e407
-
SHA1
68f088f772bca3126de301f91587272699cb591d
-
SHA256
afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7
-
SHA512
1079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
x.exex.exepid process 268 x.exe 1424 x.exe -
Processes:
resource yara_rule \ProgramData\winc\x.exe upx C:\ProgramData\winc\x.exe upx C:\ProgramData\winc\x.exe upx C:\ProgramData\winc\x.exe upx -
Loads dropped DLL 1 IoCs
Processes:
x.exepid process 1096 x.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
x.exex.exex.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce x.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xx = "C:\\ProgramData\\winc\\x.exe" x.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce x.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xx = "C:\\ProgramData\\winc\\x.exe" x.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce x.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xx = "C:\\ProgramData\\winc\\x.exe" x.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
x.exepid process 268 x.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
x.exex.exex.exedescription pid process Token: SeShutdownPrivilege 1096 x.exe Token: SeDebugPrivilege 1096 x.exe Token: SeTcbPrivilege 1096 x.exe Token: SeShutdownPrivilege 268 x.exe Token: SeDebugPrivilege 268 x.exe Token: SeTcbPrivilege 268 x.exe Token: SeShutdownPrivilege 1424 x.exe Token: SeDebugPrivilege 1424 x.exe Token: SeTcbPrivilege 1424 x.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
x.exepid process 268 x.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
x.exex.exedescription pid process target process PID 1096 wrote to memory of 268 1096 x.exe x.exe PID 1096 wrote to memory of 268 1096 x.exe x.exe PID 1096 wrote to memory of 268 1096 x.exe x.exe PID 1096 wrote to memory of 268 1096 x.exe x.exe PID 268 wrote to memory of 1424 268 x.exe x.exe PID 268 wrote to memory of 1424 268 x.exe x.exe PID 268 wrote to memory of 1424 268 x.exe x.exe PID 268 wrote to memory of 1424 268 x.exe x.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\winc\x.exe"C:\ProgramData\winc\x.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\winc\x.exe"C:\ProgramData\winc\x.exe" 2683⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\winc\x.exeMD5
9b45ab810d3fc0ddc2274c744de9e407
SHA168f088f772bca3126de301f91587272699cb591d
SHA256afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7
SHA5121079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862
-
C:\ProgramData\winc\x.exeMD5
9b45ab810d3fc0ddc2274c744de9e407
SHA168f088f772bca3126de301f91587272699cb591d
SHA256afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7
SHA5121079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862
-
C:\ProgramData\winc\x.exeMD5
9b45ab810d3fc0ddc2274c744de9e407
SHA168f088f772bca3126de301f91587272699cb591d
SHA256afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7
SHA5121079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862
-
\ProgramData\winc\x.exeMD5
9b45ab810d3fc0ddc2274c744de9e407
SHA168f088f772bca3126de301f91587272699cb591d
SHA256afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7
SHA5121079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862
-
memory/268-57-0x0000000000000000-mapping.dmp
-
memory/1096-55-0x00000000758C1000-0x00000000758C3000-memory.dmpFilesize
8KB
-
memory/1424-61-0x0000000000000000-mapping.dmp