Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-06-2022 03:39
Static task
static1
Behavioral task
behavioral1
Sample
117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218.exe
Resource
win10v2004-20220414-en
General
-
Target
117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218.exe
-
Size
100KB
-
MD5
be04880708661c10c6dc83b9adc83756
-
SHA1
942e64204031981a9861e2ae90e7c296eeac1519
-
SHA256
117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218
-
SHA512
83bd19290de0acef2fdec699dda973479d8896fbcb920e2aecdc31405839019ac30d749afc148313a851de17a7b56440ec8156098d0d839a7374648c359408db
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MSNMSG~1.EXEpid process 2304 MSNMSG~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218.exedescription pid process target process PID 4048 wrote to memory of 2304 4048 117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218.exe MSNMSG~1.EXE PID 4048 wrote to memory of 2304 4048 117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218.exe MSNMSG~1.EXE PID 4048 wrote to memory of 2304 4048 117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218.exe MSNMSG~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218.exe"C:\Users\Admin\AppData\Local\Temp\117cec9b90336e72a71d8fa9c67e5f58ba0ae90e33a19805a6f4a36a50d68218.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSNMSG~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSNMSG~1.EXE2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSNMSG~1.EXEFilesize
45KB
MD5ad090589116ae6ba1efb9d09ec7fb098
SHA1f9efe2e2591204800787907583a88b2a87348b49
SHA2565d63b837589720da7e45a9cff617488eb1e29a39e7ec23de28d495a799d4fc18
SHA51237572a0131d2d3910fd8bca4bf35982626d61fb0c5ab442c002607fc0c3a312e29f9f571b70faa5e7d8e86ce471b4ad724b7fe1e2f24892ca623de391476e2b3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSNMSG~1.EXEFilesize
45KB
MD5ad090589116ae6ba1efb9d09ec7fb098
SHA1f9efe2e2591204800787907583a88b2a87348b49
SHA2565d63b837589720da7e45a9cff617488eb1e29a39e7ec23de28d495a799d4fc18
SHA51237572a0131d2d3910fd8bca4bf35982626d61fb0c5ab442c002607fc0c3a312e29f9f571b70faa5e7d8e86ce471b4ad724b7fe1e2f24892ca623de391476e2b3
-
memory/2304-130-0x0000000000000000-mapping.dmp