Analysis
-
max time kernel
41s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 21:25
General
-
Target
f1a015c0d8f30aecac2e32e83bc6ad3e1236d3ba709255cb023a740e3fc45483.exe
-
Size
93KB
-
MD5
00161aff7e341a7049d1011270c43211
-
SHA1
f8d4d89c7245fb6f47bf3dfc14197a97b15f3bcf
-
SHA256
f1a015c0d8f30aecac2e32e83bc6ad3e1236d3ba709255cb023a740e3fc45483
-
SHA512
18631006d93732182253dfadfba1328172a424b00978072b8345f8351a1cff3f9752ad6db40178f459b937ce524265fba3a6c2a836dbdc3aa206d9a87b43cb0d
Malware Config
Signatures
-
Contains code to disable Windows Defender 6 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1a015c0d8f30aecac2e32e83bc6ad3e1236d3ba709255cb023a740e3fc45483.exe"C:\Users\Admin\AppData\Local\Temp\f1a015c0d8f30aecac2e32e83bc6ad3e1236d3ba709255cb023a740e3fc45483.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f1a015c0d8f30aecac2e32e83bc6ad3e1236d3ba709255cb023a740e3fc45483.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\foqsv3od.inf1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\temp\foqsv3od.infFilesize
583B
MD5dc0460862b3f16d4a1c0174453b7efc4
SHA18bb49134515816eba84a00cb175a97b760f35555
SHA25621853156f8a64ebe2f2be9b1e7f331a6c56fa680a5c177d6a9c2c002ee54d8c7
SHA5121cd2ddb1850e941905301ef5e46393aba69d0b7666cd7494fc1a4a55bbf47d49cb30e1ba078e1164f07f82562c4cff3f9c2fddfa8f93afb0f9158fc2c5bea07d
-
memory/988-70-0x0000000000000000-mapping.dmp
-
memory/1008-57-0x0000000000650000-0x0000000000662000-memory.dmpFilesize
72KB
-
memory/1008-54-0x0000000000E60000-0x0000000000E7E000-memory.dmpFilesize
120KB
-
memory/1008-56-0x0000000000340000-0x0000000000348000-memory.dmpFilesize
32KB
-
memory/1008-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmpFilesize
8KB
-
memory/1704-61-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1704-66-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1704-68-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1704-64-0x000000000040616E-mapping.dmp
-
memory/1704-63-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1704-62-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1704-59-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1704-58-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB