Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
07-01-2022 12:12
Static task
static1
Behavioral task
behavioral1
Sample
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe
-
Size
1.9MB
-
MD5
a65b75567794b4d9f2558c672bd07dd5
-
SHA1
e217c9fde4b32680a11adf2200e673519f595bd3
-
SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9
-
SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
severdops.ddns.net:3071
Attributes
-
communication_password
29ef52e7563626a96cea7f4b4085c124
-
install_dir
msWORLD
-
install_file
excel.exe
-
tor_process
tor
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2760-120-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/2760-122-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/2760-123-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\excel = "C:\\Users\\Admin\\AppData\\Local\\msWORLD\\excel.exe\uff00" aspnet_compiler.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
aspnet_compiler.exepid process 2760 aspnet_compiler.exe 2760 aspnet_compiler.exe 2760 aspnet_compiler.exe 2760 aspnet_compiler.exe 2760 aspnet_compiler.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exedescription pid process target process PID 2340 set thread context of 2760 2340 cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 2340 cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe Token: SeShutdownPrivilege 2760 aspnet_compiler.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
aspnet_compiler.exepid process 2760 aspnet_compiler.exe 2760 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exedescription pid process target process PID 2340 wrote to memory of 2760 2340 cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe aspnet_compiler.exe PID 2340 wrote to memory of 2760 2340 cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe aspnet_compiler.exe PID 2340 wrote to memory of 2760 2340 cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe aspnet_compiler.exe PID 2340 wrote to memory of 2760 2340 cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe aspnet_compiler.exe PID 2340 wrote to memory of 2760 2340 cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe aspnet_compiler.exe PID 2340 wrote to memory of 2760 2340 cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe aspnet_compiler.exe PID 2340 wrote to memory of 2760 2340 cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe"C:\Users\Admin\AppData\Local\Temp\cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2340-115-0x00000000008F0000-0x0000000000AE2000-memory.dmpFilesize
1.9MB
-
memory/2340-116-0x00000000008F0000-0x0000000000AE2000-memory.dmpFilesize
1.9MB
-
memory/2340-117-0x000000001B820000-0x000000001B822000-memory.dmpFilesize
8KB
-
memory/2340-118-0x000000001B830000-0x000000001BA1E000-memory.dmpFilesize
1.9MB
-
memory/2340-119-0x0000000000F10000-0x0000000000F1E000-memory.dmpFilesize
56KB
-
memory/2760-120-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/2760-121-0x00000000007E2750-mapping.dmp
-
memory/2760-122-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/2760-123-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB