Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 23:05
Behavioral task
behavioral1
Sample
1f8595d066ee69e7454b30b718102bbd04122ba8a5bab1e9d5f4532b7a7305a3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1f8595d066ee69e7454b30b718102bbd04122ba8a5bab1e9d5f4532b7a7305a3.exe
Resource
win10v2004-20220414-en
General
-
Target
1f8595d066ee69e7454b30b718102bbd04122ba8a5bab1e9d5f4532b7a7305a3.exe
-
Size
40KB
-
MD5
b808bcbb1d9b94a4a71899964255ce0e
-
SHA1
c5e899db34a976f8396cdde8044ebb5ca67a513f
-
SHA256
1f8595d066ee69e7454b30b718102bbd04122ba8a5bab1e9d5f4532b7a7305a3
-
SHA512
6f1c8f6fd0ad1ded7a5ab3e39a45f0ca22bc12100117b3a58f613184069128e7e21b7685262f3647408c6871ea8a5e2a07e53379634f65a45b71552d69620ff9
Malware Config
Extracted
buer
frrnq8--imp_j_i,fi-
cookn5**fjm\g\f)cf*
Signatures
-
resource yara_rule behavioral2/files/0x0009000000023138-132.dat buer behavioral2/files/0x0009000000023138-131.dat buer behavioral2/memory/3508-133-0x0000000000000000-mapping.dmp buer behavioral2/memory/3508-134-0x00000000007E0000-0x00000000007EC000-memory.dmp buer -
Executes dropped EXE 1 IoCs
pid Process 2324 manager.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ActiveX Component = "C:\\Users\\Admin\\AppData\\Roaming\\ActiveX\\manager.exe" manager.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce secinit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ActiveX Component = "C:\\Users\\Admin\\AppData\\Roaming\\ActiveX\\manager.exe" secinit.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce manager.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3508 secinit.exe 3508 secinit.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2324 2636 1f8595d066ee69e7454b30b718102bbd04122ba8a5bab1e9d5f4532b7a7305a3.exe 28 PID 2636 wrote to memory of 2324 2636 1f8595d066ee69e7454b30b718102bbd04122ba8a5bab1e9d5f4532b7a7305a3.exe 28 PID 2636 wrote to memory of 2324 2636 1f8595d066ee69e7454b30b718102bbd04122ba8a5bab1e9d5f4532b7a7305a3.exe 28 PID 2324 wrote to memory of 3508 2324 manager.exe 78 PID 2324 wrote to memory of 3508 2324 manager.exe 78 PID 2324 wrote to memory of 3508 2324 manager.exe 78 PID 2324 wrote to memory of 3508 2324 manager.exe 78 PID 2324 wrote to memory of 3508 2324 manager.exe 78 PID 2324 wrote to memory of 3508 2324 manager.exe 78 PID 2324 wrote to memory of 3508 2324 manager.exe 78 PID 2324 wrote to memory of 3508 2324 manager.exe 78 PID 2324 wrote to memory of 3508 2324 manager.exe 78 PID 2324 wrote to memory of 3508 2324 manager.exe 78 PID 2324 wrote to memory of 3508 2324 manager.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f8595d066ee69e7454b30b718102bbd04122ba8a5bab1e9d5f4532b7a7305a3.exe"C:\Users\Admin\AppData\Local\Temp\1f8595d066ee69e7454b30b718102bbd04122ba8a5bab1e9d5f4532b7a7305a3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Roaming\ActiveX\manager.exeC:\Users\Admin\AppData\Roaming\ActiveX\manager.exe "C:\Users\Admin\AppData\Local\Temp\1f8595d066ee69e7454b30b718102bbd04122ba8a5bab1e9d5f4532b7a7305a3.exe" ensgJJ2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\secinit.exeC:\Users\Admin\AppData\Roaming\ActiveX\manager.exe3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3508
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5b808bcbb1d9b94a4a71899964255ce0e
SHA1c5e899db34a976f8396cdde8044ebb5ca67a513f
SHA2561f8595d066ee69e7454b30b718102bbd04122ba8a5bab1e9d5f4532b7a7305a3
SHA5126f1c8f6fd0ad1ded7a5ab3e39a45f0ca22bc12100117b3a58f613184069128e7e21b7685262f3647408c6871ea8a5e2a07e53379634f65a45b71552d69620ff9
-
Filesize
40KB
MD5b808bcbb1d9b94a4a71899964255ce0e
SHA1c5e899db34a976f8396cdde8044ebb5ca67a513f
SHA2561f8595d066ee69e7454b30b718102bbd04122ba8a5bab1e9d5f4532b7a7305a3
SHA5126f1c8f6fd0ad1ded7a5ab3e39a45f0ca22bc12100117b3a58f613184069128e7e21b7685262f3647408c6871ea8a5e2a07e53379634f65a45b71552d69620ff9