Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 14:34
Static task
static1
Behavioral task
behavioral1
Sample
Absa.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Absa.exe
-
Size
638KB
-
MD5
3e6a8a40fd2a124f8c9a3bc25bcebe94
-
SHA1
313a12b860281062c2842359e0d90c79695c5fa7
-
SHA256
3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437
-
SHA512
e87dbfb61459c039fd9d897c6bb468669d389074c28f701339c85c38193f76d501dee7825b2235785059a14df1a5949cc003732e55ef94b39b41205cdaab1338
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaskMrg.vbs notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Absa.exedescription pid process target process PID 4808 set thread context of 4284 4808 Absa.exe Absa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Absa.exeAbsa.exepid process 4808 Absa.exe 4808 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe 4476 Absa.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Absa.exepid process 4808 Absa.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Absa.exedescription pid process target process PID 4808 wrote to memory of 4188 4808 Absa.exe notepad.exe PID 4808 wrote to memory of 4188 4808 Absa.exe notepad.exe PID 4808 wrote to memory of 4188 4808 Absa.exe notepad.exe PID 4808 wrote to memory of 4188 4808 Absa.exe notepad.exe PID 4808 wrote to memory of 4188 4808 Absa.exe notepad.exe PID 4808 wrote to memory of 4284 4808 Absa.exe Absa.exe PID 4808 wrote to memory of 4284 4808 Absa.exe Absa.exe PID 4808 wrote to memory of 4284 4808 Absa.exe Absa.exe PID 4808 wrote to memory of 4476 4808 Absa.exe Absa.exe PID 4808 wrote to memory of 4476 4808 Absa.exe Absa.exe PID 4808 wrote to memory of 4476 4808 Absa.exe Absa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Absa.exe"C:\Users\Admin\AppData\Local\Temp\Absa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\Absa.exe"C:\Users\Admin\AppData\Local\Temp\Absa.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Absa.exe"C:\Users\Admin\AppData\Local\Temp\Absa.exe" 2 4284 2405433432⤵
- Suspicious behavior: EnumeratesProcesses