Analysis
-
max time kernel
162s -
max time network
167s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
01-12-2021 17:27
Static task
static1
Behavioral task
behavioral1
Sample
x.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
x.exe
Resource
win10-en-20211014
General
-
Target
x.exe
-
Size
356KB
-
MD5
9b45ab810d3fc0ddc2274c744de9e407
-
SHA1
68f088f772bca3126de301f91587272699cb591d
-
SHA256
afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7
-
SHA512
1079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
x.exex.exepid process 1348 x.exe 1052 x.exe -
Processes:
resource yara_rule C:\ProgramData\winc\x.exe upx C:\ProgramData\winc\x.exe upx C:\ProgramData\winc\x.exe upx -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
x.exex.exex.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xx = "C:\\ProgramData\\winc\\x.exe" x.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce x.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xx = "C:\\ProgramData\\winc\\x.exe" x.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce x.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xx = "C:\\ProgramData\\winc\\x.exe" x.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce x.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
x.exepid process 1348 x.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
x.exex.exex.exedescription pid process Token: SeShutdownPrivilege 3508 x.exe Token: SeDebugPrivilege 3508 x.exe Token: SeTcbPrivilege 3508 x.exe Token: SeShutdownPrivilege 1348 x.exe Token: SeDebugPrivilege 1348 x.exe Token: SeTcbPrivilege 1348 x.exe Token: SeShutdownPrivilege 1052 x.exe Token: SeDebugPrivilege 1052 x.exe Token: SeTcbPrivilege 1052 x.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
x.exepid process 1348 x.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
x.exex.exedescription pid process target process PID 3508 wrote to memory of 1348 3508 x.exe x.exe PID 3508 wrote to memory of 1348 3508 x.exe x.exe PID 3508 wrote to memory of 1348 3508 x.exe x.exe PID 1348 wrote to memory of 1052 1348 x.exe x.exe PID 1348 wrote to memory of 1052 1348 x.exe x.exe PID 1348 wrote to memory of 1052 1348 x.exe x.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\winc\x.exe"C:\ProgramData\winc\x.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\winc\x.exe"C:\ProgramData\winc\x.exe" 13483⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\winc\x.exeMD5
9b45ab810d3fc0ddc2274c744de9e407
SHA168f088f772bca3126de301f91587272699cb591d
SHA256afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7
SHA5121079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862
-
C:\ProgramData\winc\x.exeMD5
9b45ab810d3fc0ddc2274c744de9e407
SHA168f088f772bca3126de301f91587272699cb591d
SHA256afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7
SHA5121079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862
-
C:\ProgramData\winc\x.exeMD5
9b45ab810d3fc0ddc2274c744de9e407
SHA168f088f772bca3126de301f91587272699cb591d
SHA256afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7
SHA5121079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862
-
memory/1052-118-0x0000000000000000-mapping.dmp
-
memory/1348-115-0x0000000000000000-mapping.dmp