Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe
Resource
win7-20220414-en
General
-
Target
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe
-
Size
644KB
-
MD5
9bcc457ffd5258761ce4e1feb7356581
-
SHA1
07b2d106a5a1103462228fd25b05f09ca53ce616
-
SHA256
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0
-
SHA512
1ff4082c29237567df010040c2dd5323fb48c22c98ccbdac6dcf08fe819a7c4e8adb59c529edc42a6955a247b6210ee5a178994667a126b539fee2b54928bce9
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exedescription pid Process procid_target PID 1260 set thread context of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exepid Process 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exeRegAsm.exedescription pid Process Token: SeDebugPrivilege 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe Token: SeDebugPrivilege 1984 RegAsm.exe Token: 33 1984 RegAsm.exe Token: SeIncBasePriorityPrivilege 1984 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid Process 1984 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.execsc.exedescription pid Process procid_target PID 1260 wrote to memory of 1940 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 26 PID 1260 wrote to memory of 1940 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 26 PID 1260 wrote to memory of 1940 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 26 PID 1260 wrote to memory of 1940 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 26 PID 1940 wrote to memory of 1912 1940 csc.exe 28 PID 1940 wrote to memory of 1912 1940 csc.exe 28 PID 1940 wrote to memory of 1912 1940 csc.exe 28 PID 1940 wrote to memory of 1912 1940 csc.exe 28 PID 1260 wrote to memory of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29 PID 1260 wrote to memory of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29 PID 1260 wrote to memory of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29 PID 1260 wrote to memory of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29 PID 1260 wrote to memory of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29 PID 1260 wrote to memory of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29 PID 1260 wrote to memory of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29 PID 1260 wrote to memory of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29 PID 1260 wrote to memory of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29 PID 1260 wrote to memory of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29 PID 1260 wrote to memory of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29 PID 1260 wrote to memory of 1984 1260 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe"C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hn3shhpe\hn3shhpe.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA59.tmp" "c:\Users\Admin\AppData\Local\Temp\hn3shhpe\CSCCC78FC098BE4763AD1BB9A020874148.TMP"3⤵PID:1912
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1472
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ad3ee5524f154dc3624f749c95a1a78e
SHA16f65ced390922010c13ac3ac652717baa506bc05
SHA256f989213977f15e5bb0b0611cdcc52a0c46ee5cb38ee6037cc7047bed1e3c8cf5
SHA51202377ef37c0d666873da077ee34bfb0ebbce7d2f91a800d05aa649128dabfc6e220cdb304631f33c88b0343f09fdeacfc04e8e15ae8cdf9d01c05d0541f27334
-
Filesize
9KB
MD5ebad19ea0c16974fd008526b530ce044
SHA1e9328dad083bee063407c47e037723433b428041
SHA2561c263f2d803887d6ddab2260a79b69460166159f3902f58b4670281c58f0fb7e
SHA512f809c92061bb5eb3868da35a924aec5a9677d06d7b614e4299ff8d6483211e4d871351267b4cf76c8020c7303aa4d9184844df329d121486d5e13262ed614685
-
Filesize
29KB
MD56d103d0c7b5c864dd16f77c5a7b683ec
SHA1e172ac71ddac5f6ed8cc14a4171baf2e14ccd5a9
SHA25616e6f8f447e1042eb2f58249e97da82f54cf3198caaf0c085af095385a12057f
SHA51219fa284c7cd616459462f471c24040f09a7ee2a3c5c40d67eb15bf22d9aff60595336c530ff003375879cf9279e7e5ee13fd44938bb2d2e5e782dfcfe2c3a2a5
-
Filesize
1KB
MD5ad53f6e5c476ca0446ccfa0e8db268f9
SHA12d49ed8ad19b293bb0264e30203c893622330ad2
SHA2565b29f843e5cd133a346681ced91a8baa38158a5ba9ff0f5a1049e070997ad48e
SHA512fb679f303366930ce4b06bfe15d1335279b6da3e9702d70e4de62beed5a11d5547ea59f1d2edefc849cdd0819dd8be4ee2581146117a26526a81a0d97b217884
-
Filesize
10KB
MD590151e8f2b4ed32beed1f203aefc46b4
SHA1b25bc7d8ef0e79fa32170f0f9f353f1681b6783f
SHA256a95c551c89a9622b77946098efbf24107e41025cd17634999a2989a7c782c4c9
SHA51240843600d7a00ba6d80d16d059660ab3cf42f066b5f6973deeeba4940670be70157e27988c1b269bb4f5ef945dff14017057d13de909d854087d00d806614f3f
-
Filesize
312B
MD536273623e68826696cb5157c0974b52d
SHA1e6afa46d01e8aa0dbc7930fe0bf107dac85f37f2
SHA256782cf5dbadfb34e2302ca7c6d90b30d0352fdd1afe0feb0415d1e4d52b8133d3
SHA51252187b532aa2996f5fd590c7b84b97bda9ceda1293284ac4b267412fc933d3a5e8ed844be582ec084c1dce353e59efd6744ba9b04c666d0ffea6cd10367414ae