Behavioral Report

Analysis

max time kernel
145s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
Size

5MB
MD5

0a2480dee0105e3cf1bacf79d6bc279c
SHA1

79caa6e3dd9615e8d4d4157d37738bafdc3d7925
SHA256

ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63
SHA512

a843363292f5c96d02a046b4b95b188d374930234a2dfce1391a0c3bb4292662d2e961f716d6901b6b70c4543d5e8b9cf286398ffee8f8133d2da65d5866116a

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 9 IoCs

Processes:

ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

pid	process
912	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
912	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
912	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
912	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
912	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
912	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
912	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
912	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
912	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdateXX = "C:\\Users\\Public\\Libraries\\adobeflashplayer.exe"	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

pid process

912 ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

description	pid	process	target process
PID 3660 wrote to memory of 912	3660	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
PID 3660 wrote to memory of 912	3660	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
PID 3660 wrote to memory of 912	3660	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe	ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

C:\Users\Admin\AppData\Local\Temp\ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
"C:\Users\Admin\AppData\Local\Temp\ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe"
- Suspicious use of WriteProcessMemory
PID:3660

C:\Users\Admin\AppData\Local\Temp\ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
"C:\Users\Admin\AppData\Local\Temp\ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe"
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI36602\_hashlib.pyd
Filesize
990KB

MD5
ca928e89b3153a303b20db5bb02171a6

SHA1
a843d0cf34367441c64b27bef35d2a0cc3bd479b

SHA256
8b0a26be2cdf95351f27d407f3ddb235f803bb0abb3004c73b5a53f614a559ee

SHA512
defbf4ad1a00b9867e7934bb5edc5f157d2fcf6d3567604084ea168deb4db7c22477b252b739b0987ed421f8651aa87136ca4e1e77515a36d5d764336d926aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36602\_socket.pyd
Filesize
46KB

MD5
c09b45502b40e17ea85da99b45c97bb9

SHA1
0578ad2993c827502f47f78184cb640a3029a368

SHA256
67b9dc047566250da1905751c96208bc78b2d558446e4e447ed32dbfdd399c13

SHA512
3c66d3f8ab7aa2930b3ba78f06711d107c9016d202a67de8d2d3806bab536549dd82f83c0331b44ff9ac5231273876515e0034bdbde7436853d17c16903150a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36602\_ssl.pyd
Filesize
1MB

MD5
f12a4d8a3bb4d4c589cebc25373ca1ff

SHA1
3e018b0b54bec184c182de381a02aaadece97a39

SHA256
01a11ad86603f47ee4b5aac18d6534d43865a16978aa245ebbc29ba68d701078

SHA512
6928c03b242a658bd61e443b39ac5f98e6ca590f29be30ec6c9f3505aae3da98307b01c38ac6f294e7ea59765c6302f9c27bbe05a13a167aa90559487cb865ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36602\k.exe.manifest
Filesize
1KB

MD5
ff71392394fc9b65d543b274b6081d09

SHA1
17600db41d78108ba44c38254ce513cc4a7384cd

SHA256
2914ccc346196be3e1bfd13e9fec870c9f775b6f18484faf757b7b7957f69d80

SHA512
7dbc1cd28bed46ad637d91e9934e9b4186d255074129eae1388e432f546731a204eb1c63d3ba0786385d85e33f12f18ab2eb60a24fab166c049fcc6ce070d42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36602\pyHook._cpyHook.pyd
Filesize
26KB

MD5
3c7cb79171e636137acd8fdf42ea10df

SHA1
1eec5cf28be22f9cc64ae640d584daeb35601403

SHA256
03a59137ca8f9dda395079daddd7fcf0636543f41cc0c2fcf19bea492eb4ad80

SHA512
dc161bbecec77c86a3c70f1a7c2d5c7d029c8cfad8e1606b90372da5a49d601f3146cf52fb56d453637195c1bcabe66f633c5dca1c5b106bb33025d5f9704d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36602\python27.dll
Filesize
2MB

MD5
797f4566d81c04ed5f21637d2d64197f

SHA1
63b3fc75231fafbd40a973a37812f1771ed4b5bf

SHA256
441caf8a1aed00caf6e9b28fec67a25c0af16fc1150c3caf848148397cc48e0e

SHA512
93f2370d600f35dafaadea426c65479e05246204513c28839903206ba3fa7b2c847a427a76ed3e522d5a27f251b5926d2f23506073fe182cac8546dab4d13e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36602\python27.dll
Filesize
2MB

MD5
797f4566d81c04ed5f21637d2d64197f

SHA1
63b3fc75231fafbd40a973a37812f1771ed4b5bf

SHA256
441caf8a1aed00caf6e9b28fec67a25c0af16fc1150c3caf848148397cc48e0e

SHA512
93f2370d600f35dafaadea426c65479e05246204513c28839903206ba3fa7b2c847a427a76ed3e522d5a27f251b5926d2f23506073fe182cac8546dab4d13e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36602\pythoncom27.dll
Filesize
387KB

MD5
52b865ec9937c6b1f6ba686b7e21258d

SHA1
b9e108968574577364048c18d4d6b21912bd4454

SHA256
5df515976d0f2955ae4be1e19990de644e5461db98b0ce91ca6b0e22851fea52

SHA512
6c172889a48aa3fef43250fe52b97911e79aa153e14471fce95aff5340c4646b1cf9b89942849c50e2903ee21ec345295989d49899fc6bf5782421e087d9c219

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36602\pywintypes27.dll
Filesize
107KB

MD5
a28653caf591fc7b4c7971821deb9a56

SHA1
5ff590e23cbb45ae4a441eeecf2d0609103eec08

SHA256
88d8eb5894c47990b4ff88e94a75f59c498cfd16b0f29894f0947f5ed2a862f3

SHA512
c1bbb29e2aaa6181aeccd19d2843646e1e2dd7d33e7ace04f9df215ec5bdc604ce170e5ee6cefbe646663c278e0e9e1332c4fd63f241d2db0e66bcd7950bdd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36602\win32api.pyd
Filesize
98KB

MD5
04e34bf4a5bb715c7263401f0415cc3c

SHA1
0a2ec0b7a02ecfb2c4423aac0fa80565b03fd9dd

SHA256
3f85787b2d9ccded7176fd564cde748fd73cc79c0812ecf0d87d7bb0e92f88d2

SHA512
5e642e62cb9ef92a2894ee0258ca89188d1875dfb37700cd9474fe9c99bef85df718469885b98f56b44082ed3b76f4a33b27e6bf1cfacbea7f731d31f49d19c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36602\win32event.pyd
Filesize
18KB

MD5
dc7a5c18901f304260ce1bb4507494d8

SHA1
519393c319d28207c89f416bfa8ed2a7feed2dfd

SHA256
b1fc1d89f5c4d7c5af342107e9460eccbc638608077298bafcefa50889f172da

SHA512
17564adbb4ded84e3c38087510f067de1342f9960df4bc639ea94bb2034fc8c09d8fc6f7670d9b6f0c6957147f3822adea373189dcd33b8374d7a64b4fb4cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36~1\_hashlib.pyd
Filesize
990KB

MD5
ca928e89b3153a303b20db5bb02171a6

SHA1
a843d0cf34367441c64b27bef35d2a0cc3bd479b

SHA256
8b0a26be2cdf95351f27d407f3ddb235f803bb0abb3004c73b5a53f614a559ee

SHA512
defbf4ad1a00b9867e7934bb5edc5f157d2fcf6d3567604084ea168deb4db7c22477b252b739b0987ed421f8651aa87136ca4e1e77515a36d5d764336d926aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36~1\_socket.pyd
Filesize
46KB

MD5
c09b45502b40e17ea85da99b45c97bb9

SHA1
0578ad2993c827502f47f78184cb640a3029a368

SHA256
67b9dc047566250da1905751c96208bc78b2d558446e4e447ed32dbfdd399c13

SHA512
3c66d3f8ab7aa2930b3ba78f06711d107c9016d202a67de8d2d3806bab536549dd82f83c0331b44ff9ac5231273876515e0034bdbde7436853d17c16903150a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36~1\_ssl.pyd
Filesize
1MB

MD5
f12a4d8a3bb4d4c589cebc25373ca1ff

SHA1
3e018b0b54bec184c182de381a02aaadece97a39

SHA256
01a11ad86603f47ee4b5aac18d6534d43865a16978aa245ebbc29ba68d701078

SHA512
6928c03b242a658bd61e443b39ac5f98e6ca590f29be30ec6c9f3505aae3da98307b01c38ac6f294e7ea59765c6302f9c27bbe05a13a167aa90559487cb865ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36~1\pyHook._cpyHook.pyd
Filesize
26KB

MD5
3c7cb79171e636137acd8fdf42ea10df

SHA1
1eec5cf28be22f9cc64ae640d584daeb35601403

SHA256
03a59137ca8f9dda395079daddd7fcf0636543f41cc0c2fcf19bea492eb4ad80

SHA512
dc161bbecec77c86a3c70f1a7c2d5c7d029c8cfad8e1606b90372da5a49d601f3146cf52fb56d453637195c1bcabe66f633c5dca1c5b106bb33025d5f9704d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36~1\pythoncom27.dll
Filesize
387KB

MD5
52b865ec9937c6b1f6ba686b7e21258d

SHA1
b9e108968574577364048c18d4d6b21912bd4454

SHA256
5df515976d0f2955ae4be1e19990de644e5461db98b0ce91ca6b0e22851fea52

SHA512
6c172889a48aa3fef43250fe52b97911e79aa153e14471fce95aff5340c4646b1cf9b89942849c50e2903ee21ec345295989d49899fc6bf5782421e087d9c219

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36~1\pywintypes27.dll
Filesize
107KB

MD5
a28653caf591fc7b4c7971821deb9a56

SHA1
5ff590e23cbb45ae4a441eeecf2d0609103eec08

SHA256
88d8eb5894c47990b4ff88e94a75f59c498cfd16b0f29894f0947f5ed2a862f3

SHA512
c1bbb29e2aaa6181aeccd19d2843646e1e2dd7d33e7ace04f9df215ec5bdc604ce170e5ee6cefbe646663c278e0e9e1332c4fd63f241d2db0e66bcd7950bdd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36~1\win32api.pyd
Filesize
98KB

MD5
04e34bf4a5bb715c7263401f0415cc3c

SHA1
0a2ec0b7a02ecfb2c4423aac0fa80565b03fd9dd

SHA256
3f85787b2d9ccded7176fd564cde748fd73cc79c0812ecf0d87d7bb0e92f88d2

SHA512
5e642e62cb9ef92a2894ee0258ca89188d1875dfb37700cd9474fe9c99bef85df718469885b98f56b44082ed3b76f4a33b27e6bf1cfacbea7f731d31f49d19c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36~1\win32event.pyd
Filesize
18KB

MD5
dc7a5c18901f304260ce1bb4507494d8

SHA1
519393c319d28207c89f416bfa8ed2a7feed2dfd

SHA256
b1fc1d89f5c4d7c5af342107e9460eccbc638608077298bafcefa50889f172da

SHA512
17564adbb4ded84e3c38087510f067de1342f9960df4bc639ea94bb2034fc8c09d8fc6f7670d9b6f0c6957147f3822adea373189dcd33b8374d7a64b4fb4cb04

Download Submit
memory/912-130-0x0000000000000000-mapping.dmp

Download