Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:47
Static task
static1
Behavioral task
behavioral1
Sample
4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
Resource
win10v2004-20220414-en
General
-
Target
4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
-
Size
892KB
-
MD5
53ac2a5394f8713b3c66ba21103ff707
-
SHA1
5e38feca1c8fba6746ad331f4d6435206007b1d0
-
SHA256
4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e
-
SHA512
2ad8414a213082bba37b8fa191f2244d1a3b558a98cf19aaee241427410411b8f3c31daf29468458bec58de71c389f715b1fd8a2348d85b98355f85f83e3da4d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winversX64.exepid process 544 winversX64.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule behavioral1/memory/892-56-0x0000000000400000-0x00000000005C1000-memory.dmp upx behavioral1/memory/892-58-0x0000000000400000-0x00000000005C1000-memory.dmp upx behavioral1/memory/892-60-0x0000000000400000-0x00000000005C1000-memory.dmp upx behavioral1/memory/892-64-0x0000000000400000-0x00000000005C1000-memory.dmp upx behavioral1/memory/892-65-0x0000000000400000-0x00000000005C1000-memory.dmp upx behavioral1/memory/892-67-0x0000000000400000-0x00000000005C1000-memory.dmp upx \Users\Admin\AppData\Roaming\log\winversX64.exe upx C:\Users\Admin\AppData\Roaming\log\winversX64.exe upx C:\Users\Admin\AppData\Roaming\log\winversX64.exe upx -
Loads dropped DLL 1 IoCs
Processes:
4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exepid process 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
winversX64.exe4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\winversX64 = "C:\\Users\\Admin\\AppData\\Roaming\\log\\winversX64.exe" winversX64.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\winversX64 = "C:\\Users\\Admin\\AppData\\Roaming\\log\\AutoUpdate.exe" 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winversX64.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 icanhazip.com -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/892-65-0x0000000000400000-0x00000000005C1000-memory.dmp autoit_exe behavioral1/memory/892-67-0x0000000000400000-0x00000000005C1000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exedescription pid process target process PID 560 set thread context of 892 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exepid process 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exedescription pid process Token: SeDebugPrivilege 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winversX64.exepid process 544 winversX64.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.execmd.exewinversX64.execmd.exedescription pid process target process PID 560 wrote to memory of 892 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe PID 560 wrote to memory of 892 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe PID 560 wrote to memory of 892 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe PID 560 wrote to memory of 892 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe PID 560 wrote to memory of 892 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe PID 560 wrote to memory of 892 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe PID 560 wrote to memory of 892 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe PID 560 wrote to memory of 892 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe PID 892 wrote to memory of 1964 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe cmd.exe PID 892 wrote to memory of 1964 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe cmd.exe PID 892 wrote to memory of 1964 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe cmd.exe PID 892 wrote to memory of 1964 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe cmd.exe PID 1964 wrote to memory of 1764 1964 cmd.exe netsh.exe PID 1964 wrote to memory of 1764 1964 cmd.exe netsh.exe PID 1964 wrote to memory of 1764 1964 cmd.exe netsh.exe PID 1964 wrote to memory of 1764 1964 cmd.exe netsh.exe PID 892 wrote to memory of 1560 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe cmd.exe PID 892 wrote to memory of 1560 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe cmd.exe PID 892 wrote to memory of 1560 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe cmd.exe PID 892 wrote to memory of 1560 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe cmd.exe PID 892 wrote to memory of 544 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe winversX64.exe PID 892 wrote to memory of 544 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe winversX64.exe PID 892 wrote to memory of 544 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe winversX64.exe PID 892 wrote to memory of 544 892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe winversX64.exe PID 544 wrote to memory of 764 544 winversX64.exe cmd.exe PID 544 wrote to memory of 764 544 winversX64.exe cmd.exe PID 544 wrote to memory of 764 544 winversX64.exe cmd.exe PID 544 wrote to memory of 764 544 winversX64.exe cmd.exe PID 764 wrote to memory of 1972 764 cmd.exe HOSTNAME.EXE PID 764 wrote to memory of 1972 764 cmd.exe HOSTNAME.EXE PID 764 wrote to memory of 1972 764 cmd.exe HOSTNAME.EXE PID 764 wrote to memory of 1972 764 cmd.exe HOSTNAME.EXE -
System policy modification 1 TTPs 4 IoCs
Processes:
4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1" 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe"C:\Users\Admin\AppData\Local\Temp\4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe"C:\Users\Admin\AppData\Local\Temp\4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\log\pass.exe all3⤵
-
C:\Users\Admin\AppData\Roaming\log\winversX64.exeC:\Users\Admin\AppData\Roaming\log\winversX64.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /k HOSTNAME4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\HOSTNAME.EXEHOSTNAME5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\log\Passwords.txtMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\log\winversX64.exeFilesize
426KB
MD5360095705468a664c5f965092ae0295b
SHA12a485ef55c880f427e5177872e8cb57000385714
SHA25622e15fc0a75ab319c34b73c67a665bb7ad600ccf5bceea45fa08305ce677a811
SHA51240243726b6e382df5e7f75be5564724170d2bf23e91f0efe451d52371976c6b6040d3c23e204ec9401aa7ef295a71e4e1343e53885d9f4fd15932681a231723f
-
C:\Users\Admin\AppData\Roaming\log\winversX64.exeFilesize
426KB
MD5360095705468a664c5f965092ae0295b
SHA12a485ef55c880f427e5177872e8cb57000385714
SHA25622e15fc0a75ab319c34b73c67a665bb7ad600ccf5bceea45fa08305ce677a811
SHA51240243726b6e382df5e7f75be5564724170d2bf23e91f0efe451d52371976c6b6040d3c23e204ec9401aa7ef295a71e4e1343e53885d9f4fd15932681a231723f
-
\Users\Admin\AppData\Roaming\log\winversX64.exeFilesize
426KB
MD5360095705468a664c5f965092ae0295b
SHA12a485ef55c880f427e5177872e8cb57000385714
SHA25622e15fc0a75ab319c34b73c67a665bb7ad600ccf5bceea45fa08305ce677a811
SHA51240243726b6e382df5e7f75be5564724170d2bf23e91f0efe451d52371976c6b6040d3c23e204ec9401aa7ef295a71e4e1343e53885d9f4fd15932681a231723f
-
memory/544-73-0x0000000000000000-mapping.dmp
-
memory/560-66-0x0000000074500000-0x0000000074AAB000-memory.dmpFilesize
5.7MB
-
memory/560-54-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/764-77-0x0000000000000000-mapping.dmp
-
memory/892-61-0x000000000054BFB0-mapping.dmp
-
memory/892-67-0x0000000000400000-0x00000000005C1000-memory.dmpFilesize
1.8MB
-
memory/892-65-0x0000000000400000-0x00000000005C1000-memory.dmpFilesize
1.8MB
-
memory/892-64-0x0000000000400000-0x00000000005C1000-memory.dmpFilesize
1.8MB
-
memory/892-60-0x0000000000400000-0x00000000005C1000-memory.dmpFilesize
1.8MB
-
memory/892-58-0x0000000000400000-0x00000000005C1000-memory.dmpFilesize
1.8MB
-
memory/892-56-0x0000000000400000-0x00000000005C1000-memory.dmpFilesize
1.8MB
-
memory/892-55-0x0000000000400000-0x00000000005C1000-memory.dmpFilesize
1.8MB
-
memory/1560-71-0x0000000000000000-mapping.dmp
-
memory/1764-69-0x0000000000000000-mapping.dmp
-
memory/1964-68-0x0000000000000000-mapping.dmp
-
memory/1972-78-0x0000000000000000-mapping.dmp