Analysis
-
max time kernel
151s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 22:29
Static task
static1
Behavioral task
behavioral1
Sample
1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe
Resource
win7-20220414-en
General
-
Target
1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe
-
Size
574KB
-
MD5
c567544f04e0e104ef71bf7ffd110629
-
SHA1
d184d4d7b3fad6a8a014637d66d8ab52f0e516c1
-
SHA256
1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe
-
SHA512
c04616198f7c88070eb95fe965ccc8033b32d0dd9925b84cfd5489aa2d429cc4d8ce8b3c8b0b6abc2f52c9cdc8cf44b94021859f7bdef28a1a3461af8fcb7ebe
Malware Config
Signatures
-
Drops desktop.ini file(s) 2 IoCs
Processes:
1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exedescription ioc Process File opened for modification C:\Windows\assembly\Desktop.ini 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe File created C:\Windows\assembly\Desktop.ini 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exedescription pid Process procid_target PID 912 set thread context of 1968 912 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe 81 -
Drops file in Windows directory 3 IoCs
Processes:
1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exedescription ioc Process File opened for modification C:\Windows\assembly 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe File created C:\Windows\assembly\Desktop.ini 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe File opened for modification C:\Windows\assembly\Desktop.ini 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exepid Process 1968 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exedescription pid Process Token: SeDebugPrivilege 1968 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe Token: 33 1968 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe Token: SeIncBasePriorityPrivilege 1968 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exepid Process 1968 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exedescription pid Process procid_target PID 912 wrote to memory of 1968 912 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe 81 PID 912 wrote to memory of 1968 912 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe 81 PID 912 wrote to memory of 1968 912 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe 81 PID 912 wrote to memory of 1968 912 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe 81 PID 912 wrote to memory of 1968 912 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe 81 PID 912 wrote to memory of 1968 912 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe 81 PID 912 wrote to memory of 1968 912 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe 81 PID 912 wrote to memory of 1968 912 1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe"C:\Users\Admin\AppData\Local\Temp\1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe"{path}"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1968
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:5096
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\1e1394309a44fe57f7dc501902112987bf6a5d6a3e180758bfb1cd9928fe04fe.exe.log
Filesize319B
MD5a4da81a3544d9cd85f257967c0a431fe
SHA1ba6f59ae5c6a2674a1fda758b5ded92f76d5edb3
SHA256ad372efe5e610b9c2a331ac8f17f83542ef78b92c875c206d76c84e158fb271e
SHA51212348d4cb4b6534a43f122d18fc7276c524c5b7e8f242f446eefb4d2ffea8018aed53a854cb840b2f30669caf74d14daff4276c6676a15221c58c84b210d393f