Analysis
-
max time kernel
141s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe
Resource
win10v2004-20220414-en
General
-
Target
27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe
-
Size
133KB
-
MD5
10b32b96f5a972db48a0681e7aa344d7
-
SHA1
5d9bb1f7318f6e00933384239fba223bdb5f4edb
-
SHA256
27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1
-
SHA512
d9ac26b7a069da2f2e9a6094908763b2b801acf7648cf5243eaf848e32d063215db27ee927904abd7efc0fcf349d1deae05404e359921a6dca6ce791fb0a700e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
windefender.exepid process 1904 windefender.exe -
Deletes itself 1 IoCs
Processes:
windefender.exepid process 1904 windefender.exe -
Loads dropped DLL 2 IoCs
Processes:
27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exepid process 1644 27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe 1644 27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
windefender.exe27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\windefender = "C:\\Users\\Admin\\AppData\\Roaming\\Installed\\windefender.exe" windefender.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\windefender = "C:\\Users\\Admin\\AppData\\Roaming\\Installed\\windefender.exe" 27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
windefender.exepid process 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe 1904 windefender.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exewindefender.exedescription pid process target process PID 1644 wrote to memory of 1904 1644 27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe windefender.exe PID 1644 wrote to memory of 1904 1644 27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe windefender.exe PID 1644 wrote to memory of 1904 1644 27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe windefender.exe PID 1644 wrote to memory of 1904 1644 27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe windefender.exe PID 1904 wrote to memory of 1428 1904 windefender.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe"C:\Users\Admin\AppData\Local\Temp\27ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Roaming\Installed\windefender.exe"C:\Users\Admin\AppData\Roaming\Installed\windefender.exe"3⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Installed\windefender.exeFilesize
133KB
MD510b32b96f5a972db48a0681e7aa344d7
SHA15d9bb1f7318f6e00933384239fba223bdb5f4edb
SHA25627ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1
SHA512d9ac26b7a069da2f2e9a6094908763b2b801acf7648cf5243eaf848e32d063215db27ee927904abd7efc0fcf349d1deae05404e359921a6dca6ce791fb0a700e
-
C:\Users\Admin\AppData\Roaming\Installed\windefender.exeFilesize
133KB
MD510b32b96f5a972db48a0681e7aa344d7
SHA15d9bb1f7318f6e00933384239fba223bdb5f4edb
SHA25627ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1
SHA512d9ac26b7a069da2f2e9a6094908763b2b801acf7648cf5243eaf848e32d063215db27ee927904abd7efc0fcf349d1deae05404e359921a6dca6ce791fb0a700e
-
C:\Users\Admin\AppData\Roaming\ntkrnlFilesize
133KB
MD5aa3ca1db3e8f40290c98e832df59706b
SHA13b1aed6735fca16a1ad3dcfaf6e577bf151f2a78
SHA256011a83120e5882992f3fc21ba4b1e3390d5cb84cd6773426f8589533d69631b9
SHA512110c3e0e954582494f26d2ffcbd19b7c9b0641fb2737784e137b907f832633c59caf2e08611c8f932d0f663fb15723b159a7546c5a25ce9fb26de0d409e7ea1a
-
\Users\Admin\AppData\Roaming\Installed\windefender.exeFilesize
133KB
MD510b32b96f5a972db48a0681e7aa344d7
SHA15d9bb1f7318f6e00933384239fba223bdb5f4edb
SHA25627ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1
SHA512d9ac26b7a069da2f2e9a6094908763b2b801acf7648cf5243eaf848e32d063215db27ee927904abd7efc0fcf349d1deae05404e359921a6dca6ce791fb0a700e
-
\Users\Admin\AppData\Roaming\Installed\windefender.exeFilesize
133KB
MD510b32b96f5a972db48a0681e7aa344d7
SHA15d9bb1f7318f6e00933384239fba223bdb5f4edb
SHA25627ae5cc7fc4c237e807e1fde4b9d7f4479278d4886cea4bb7abe15c4f533eff1
SHA512d9ac26b7a069da2f2e9a6094908763b2b801acf7648cf5243eaf848e32d063215db27ee927904abd7efc0fcf349d1deae05404e359921a6dca6ce791fb0a700e
-
memory/1644-54-0x0000000076781000-0x0000000076783000-memory.dmpFilesize
8KB
-
memory/1904-57-0x0000000000000000-mapping.dmp