Analysis
-
max time kernel
172s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe
Resource
win7-20220414-en
General
-
Target
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe
-
Size
644KB
-
MD5
9bcc457ffd5258761ce4e1feb7356581
-
SHA1
07b2d106a5a1103462228fd25b05f09ca53ce616
-
SHA256
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0
-
SHA512
1ff4082c29237567df010040c2dd5323fb48c22c98ccbdac6dcf08fe819a7c4e8adb59c529edc42a6955a247b6210ee5a178994667a126b539fee2b54928bce9
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exedescription pid Process procid_target PID 3092 set thread context of 4300 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exepid Process 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid Process 4300 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exeRegAsm.exedescription pid Process Token: SeDebugPrivilege 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe Token: SeDebugPrivilege 4300 RegAsm.exe Token: 33 4300 RegAsm.exe Token: SeIncBasePriorityPrivilege 4300 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid Process 4300 RegAsm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.execsc.exedescription pid Process procid_target PID 3092 wrote to memory of 1172 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 81 PID 3092 wrote to memory of 1172 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 81 PID 3092 wrote to memory of 1172 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 81 PID 1172 wrote to memory of 3120 1172 csc.exe 83 PID 1172 wrote to memory of 3120 1172 csc.exe 83 PID 1172 wrote to memory of 3120 1172 csc.exe 83 PID 3092 wrote to memory of 4300 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 84 PID 3092 wrote to memory of 4300 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 84 PID 3092 wrote to memory of 4300 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 84 PID 3092 wrote to memory of 4300 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 84 PID 3092 wrote to memory of 4300 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 84 PID 3092 wrote to memory of 4300 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 84 PID 3092 wrote to memory of 4300 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 84 PID 3092 wrote to memory of 4300 3092 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe"C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ddcwaoex\ddcwaoex.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCDA.tmp" "c:\Users\Admin\AppData\Local\Temp\ddcwaoex\CSC41E329BCF8164DB09F8B98C02B605C51.TMP"3⤵PID:3120
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4300
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:704
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55210c72865344653b4200fadfb691ab6
SHA1ea82dd90de56b1ebb8659b46e02e43b1c3e3dea0
SHA25698ff2bd5fc192d87c26ce1627019d87bb5adda3ab76014af482598c2fdd5078a
SHA512e126615c6a232d744ca16e885e8cb9be42d2936cf361b7cea15cbca8ea3e9a7ef389181a2b00032527c3f49e8e792126ee54e73ea77198d0b6c6dcb015081fb9
-
Filesize
9KB
MD59d757ee978ad784c4c0d56b84018d843
SHA17b94d154cb7fb320b728c9426aec035c2403a417
SHA2567126b65e38486f8264b36e3b88c6e4443b8fc4c368b25c1656d32139a6d1d8b2
SHA512180df1bfecab95a59890362e7f52cc5c36e8f2c5484958fa08b5ae522710a4dcd4dc0321a551418ea8c8d5d5e6ff91f6c2ba265bd676fc18d0108bc8572aa742
-
Filesize
29KB
MD502f801c0b771d282c5c82a1865ad95b7
SHA10b884a783f43cd65a52842a896a2986c1cc37dbe
SHA256f2892d6e61de70b0adb76234e6174c5832ee5399cbecf9772e2cc27172be08ef
SHA51206dbefe7cd613a88213360a212222322e4b8ba504db2cc0dce352529b9bed97717bfa6465de2ed1d70e86f000db7567017edd155c63733647f07c721a61d9f64
-
Filesize
1KB
MD54f434918c1fe872467996c4b0981a2f7
SHA1203c3313da70c80d1a43b3b0e767f20c7d35ee3e
SHA25642c8c65164719c22a5a5fd81e295fa9719b8ef69473611f12dd602c1426b5155
SHA51289a99825fce64aa00a86cd2d1366de9476de8a48ecd64669dfeaeffce2d02ee1969b98d4bf5a97f2d274c510fd63663e1c6efb9690325bcdaee090e752a6a031
-
Filesize
10KB
MD590151e8f2b4ed32beed1f203aefc46b4
SHA1b25bc7d8ef0e79fa32170f0f9f353f1681b6783f
SHA256a95c551c89a9622b77946098efbf24107e41025cd17634999a2989a7c782c4c9
SHA51240843600d7a00ba6d80d16d059660ab3cf42f066b5f6973deeeba4940670be70157e27988c1b269bb4f5ef945dff14017057d13de909d854087d00d806614f3f
-
Filesize
312B
MD59c2881fbfc4f23d10d818bd3361cd815
SHA1e55222701a22e7be2e852570870d594af776ec94
SHA25658853cc742466382f9852fb020d083de7a3a8467fc6c9cfcf7f2a2e3733a054f
SHA51258e6c863ab66ce3daae8a421ec9cdd67979d3147cb2bffc508ddd4c028eedf02e673442f2a3f34de112535fbc1bfaf25ef5d437811a552f801ca0fcdf553b440