Analysis
-
max time kernel
22s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:06
Static task
static1
Behavioral task
behavioral1
Sample
f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe
Resource
win10v2004-20220414-en
General
-
Target
f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe
-
Size
5.1MB
-
MD5
ec11b09c5f7314c702b59e7f6b58ab39
-
SHA1
5b8299b919bbb1cb883b794408682acb7476e80b
-
SHA256
f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2
-
SHA512
fdc4aa2043a376e6289cffb6ad39b0688f74dfaa31eea17c5fd626cd6623f59a6dd902fa79b21283129068b9a4dd475516c72503ee2572a2afc5f0c57fddd9af
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exepid process 1352 f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe 1352 f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe 1352 f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe 1352 f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exedescription pid process Token: 35 1352 f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exedescription pid process target process PID 1628 wrote to memory of 1352 1628 f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe PID 1628 wrote to memory of 1352 1628 f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe PID 1628 wrote to memory of 1352 1628 f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe PID 1628 wrote to memory of 1352 1628 f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe"C:\Users\Admin\AppData\Local\Temp\f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe"C:\Users\Admin\AppData\Local\Temp\f48930a056eabc2d77d9717ba2c22ca0f6313c147b77f7f986413ea524ed9ad2.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI16282\VCRUNTIME140.dllFilesize
81KB
MD5a2523ea6950e248cbdf18c9ea1a844f6
SHA1549c8c2a96605f90d79a872be73efb5d40965444
SHA2566823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4
SHA5122141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a
-
C:\Users\Admin\AppData\Local\Temp\_MEI16282\_sqlite3.pydFilesize
62KB
MD53a6c9c518da65bd0d04e0bd51c9cf5dc
SHA1f117bcedeb405d87f67ebe10b82dd06b6e088260
SHA25674625e8d5db4c25e0886ac8ce60ba665472e8147a19ad37fc34a22a665be8855
SHA5123754ded6cdb6d4dcf9dad2f78f43ff0c6c30ad05f2012a9ab94891422c304afcdc0530c5098a0f45bf428c67ae3b57ac073162749355683707ba5e628755fd07
-
C:\Users\Admin\AppData\Local\Temp\_MEI16282\base_library.zipFilesize
757KB
MD5a7cb00602111a9549f136b743ed3ef1e
SHA1d6d430db8f01ff4f0c60495f48aa34fb21ced4a9
SHA2562c817b19505fc47505b6b34906d7a5b534b5af4d2fe960bab102d50179030c60
SHA51237666d7f54cb12f1685e18121787beb19826b14d0340653072d8a6979b57b79e614b8eb2c68eb5f066836129f209ffbdc409c83a592cac19c52db9173b183282
-
C:\Users\Admin\AppData\Local\Temp\_MEI16282\python36.dllFilesize
3.1MB
MD51ac97dbe4a81fc2beb509f8da5a3e8b6
SHA1b9e7d3857a10072c8569b2d07e0208059cf9495c
SHA256258dd151e3ec9632d0b49488cc689bcbab172648854e121dc6b5f2e43e58cb62
SHA512c69a7619d3b75d7170e087be9f02afc6d6bd1706aefcb60e84507f33d393f7323b168436f77c540c9439e2045b7577a2fb77ad287e02ff1afac747017478fad1
-
C:\Users\Admin\AppData\Local\Temp\_MEI16282\sqlite3.dllFilesize
846KB
MD5647ffe50ba324b12c1b955a487e88cb4
SHA1efc2452c1bc3d48903388e362eb3afaa12688467
SHA256372d66efb14d841fc62501203ea19b2fbb64b214c20f15c6c3d9752d2a4bb08c
SHA5128288fe8778d8dbb61c5557a597b7e41bf2668caeda6388c6bb21b955964dcb1fec043b054d57950d7bf3d1a758495ba128609b19989245ca23fe869eb9a92d2d
-
C:\Users\Admin\AppData\Local\Temp\_MEI16282\syscheck.exe.manifestFilesize
1KB
MD520a8967eda19d30c2d7a7f1acd662606
SHA156c8742794401fa83ea5a2d1f74e03dfddf71912
SHA2566584885ec18e06d4db41970e69414aa45415261a66d17bf3af64f9e6c95a5329
SHA512c91dd24dd7970bd83f662e778f4cc5ea5c563b9b9767ca83058e2f4c2283bbd6efa4c7aac5a6fdddea42aee957fefd2614eff9970c32c06f9328934e575f3ef9
-
\Users\Admin\AppData\Local\Temp\_MEI16282\VCRUNTIME140.dllFilesize
81KB
MD5a2523ea6950e248cbdf18c9ea1a844f6
SHA1549c8c2a96605f90d79a872be73efb5d40965444
SHA2566823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4
SHA5122141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a
-
\Users\Admin\AppData\Local\Temp\_MEI16282\_sqlite3.pydFilesize
62KB
MD53a6c9c518da65bd0d04e0bd51c9cf5dc
SHA1f117bcedeb405d87f67ebe10b82dd06b6e088260
SHA25674625e8d5db4c25e0886ac8ce60ba665472e8147a19ad37fc34a22a665be8855
SHA5123754ded6cdb6d4dcf9dad2f78f43ff0c6c30ad05f2012a9ab94891422c304afcdc0530c5098a0f45bf428c67ae3b57ac073162749355683707ba5e628755fd07
-
\Users\Admin\AppData\Local\Temp\_MEI16282\python36.dllFilesize
3.1MB
MD51ac97dbe4a81fc2beb509f8da5a3e8b6
SHA1b9e7d3857a10072c8569b2d07e0208059cf9495c
SHA256258dd151e3ec9632d0b49488cc689bcbab172648854e121dc6b5f2e43e58cb62
SHA512c69a7619d3b75d7170e087be9f02afc6d6bd1706aefcb60e84507f33d393f7323b168436f77c540c9439e2045b7577a2fb77ad287e02ff1afac747017478fad1
-
\Users\Admin\AppData\Local\Temp\_MEI16282\sqlite3.dllFilesize
846KB
MD5647ffe50ba324b12c1b955a487e88cb4
SHA1efc2452c1bc3d48903388e362eb3afaa12688467
SHA256372d66efb14d841fc62501203ea19b2fbb64b214c20f15c6c3d9752d2a4bb08c
SHA5128288fe8778d8dbb61c5557a597b7e41bf2668caeda6388c6bb21b955964dcb1fec043b054d57950d7bf3d1a758495ba128609b19989245ca23fe869eb9a92d2d
-
memory/1352-54-0x0000000000000000-mapping.dmp