Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 06:26
Static task
static1
Behavioral task
behavioral1
Sample
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe
Resource
win7-20220414-en
General
-
Target
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe
-
Size
399KB
-
MD5
e035a73d8a216ce93433d036d12dd1ee
-
SHA1
97bc39189f172c07d4d46314a0138bf22a09998c
-
SHA256
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba
-
SHA512
15fcfd6de2a3158f7768359e4ccabc42dc8183c3795eeffe87b682a3020dbfc3fe734add8c7fe845de8a7f3d2055b1057acf873276071bc128ea066f4f08e7b5
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exedescription pid Process procid_target PID 1672 set thread context of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exepid Process 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid Process 1060 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exeRegAsm.exedescription pid Process Token: SeDebugPrivilege 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe Token: SeDebugPrivilege 1060 RegAsm.exe Token: 33 1060 RegAsm.exe Token: SeIncBasePriorityPrivilege 1060 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid Process 1060 RegAsm.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.execsc.exedescription pid Process procid_target PID 1672 wrote to memory of 1036 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 28 PID 1672 wrote to memory of 1036 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 28 PID 1672 wrote to memory of 1036 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 28 PID 1672 wrote to memory of 1036 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 28 PID 1036 wrote to memory of 1828 1036 csc.exe 30 PID 1036 wrote to memory of 1828 1036 csc.exe 30 PID 1036 wrote to memory of 1828 1036 csc.exe 30 PID 1036 wrote to memory of 1828 1036 csc.exe 30 PID 1672 wrote to memory of 1336 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 31 PID 1672 wrote to memory of 1336 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 31 PID 1672 wrote to memory of 1336 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 31 PID 1672 wrote to memory of 1336 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 31 PID 1672 wrote to memory of 1336 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 31 PID 1672 wrote to memory of 1336 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 31 PID 1672 wrote to memory of 1336 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 31 PID 1672 wrote to memory of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32 PID 1672 wrote to memory of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32 PID 1672 wrote to memory of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32 PID 1672 wrote to memory of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32 PID 1672 wrote to memory of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32 PID 1672 wrote to memory of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32 PID 1672 wrote to memory of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32 PID 1672 wrote to memory of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32 PID 1672 wrote to memory of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32 PID 1672 wrote to memory of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32 PID 1672 wrote to memory of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32 PID 1672 wrote to memory of 1060 1672 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe"C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gsyaih2n\gsyaih2n.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6CE.tmp" "c:\Users\Admin\AppData\Local\Temp\gsyaih2n\CSC1FD0533EB005447F8D6E83A32BE1B089.TMP"3⤵PID:1828
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:1336
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1060
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:868
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee21c6595b15fc5840e258b768badade
SHA1f2dd04f2f05e350adee38040c17e64daa0f40cad
SHA256c5ca0ed99d42e4f008fefdc2509948a4ac011b5ada7ac048a8ee94b51fe6df38
SHA5124ff5fadd2d2d035544391b919de770ac2dd1cc9672227bb02d06bed8032117e5048925ee03a7b6c4dbc11e04da6765560e41145ae0115a6b7e8ab4fe264a8130
-
Filesize
9KB
MD5dbc225d2b404853907e3af80b9e8e6ca
SHA1f8eb069c6967b9f75cf132c5eeece29b73d1c3d3
SHA2565e4369e377852e88420b9b6e605e2ee77e79ccd3fd78fe854c604d7e585e3efa
SHA51254741c0228ebfbc433d304e9e21af696625a438050afc9a2523f1e16045b1a637ff037b5ad58cc9120e00584db936668750e258401a46097a1b2d1c2b95d73cb
-
Filesize
29KB
MD53185869f58e72cf0c523331d649d73b4
SHA1334a533bc4ab327f65476ac04580e70ecfe72ec1
SHA256444c335d9dd2d1acc212f4a81d6d476ffe1901840fb83adc58e5cfa4558d5287
SHA512b63e1421c603ff2641868f16d8e2eec0c14b595d8980d2620d7bee96d73433f6f66ca12f80265219f6c6205025a6a453fb9461f833b3a2d19bcefc7b062da629
-
Filesize
1KB
MD5c77817f595493681a1c11ed7b0d103aa
SHA11cee93c4d5dd7666491109a8e2d9a87f9b373d9b
SHA256b042b26cd8e61a4e05b151391b4147662490705c8220eb4554c42cc76ae70d07
SHA51226e34a0c84b26c6ee210dc8301ccbf0f1d2f6558e33ce522bb8ab570009c64c6c1cf53a485bd8729608a9066c306a5a26a717078c6257862e65dd177abb15f1f
-
Filesize
10KB
MD52ce6b0712b18eade5ac3a9fd3cdced80
SHA189762aafc9d4de9cc19138daa335ccd3a3f10fa8
SHA2563dab14b8f11229fb2726bbb02500fbbe37326b97a4865e333f349178924a7c8c
SHA51235cb4d1c478871c1868f5438ed8ea0a0df2838e81e3e0161d4d21677aa48f9b98de0a7b6143b552ee920990495b5f10d74c33afce8db98de8241156d6a975ba4
-
Filesize
248B
MD5c460a3516d238357137b8d48ab65c12b
SHA132a92b68812bea66243ed7aa492ad2dc6cbd4d8e
SHA256657ae81381a2f27b24ab0ea7b1c1802056bb94ead408bcdd251802c98de0ba7f
SHA5128574292ac479a8159aa93f4f81b0095d67479bff5eb1379f698ea4fe4786944a5d135baef69ec1877d68df40d317371715ef7dd2f67b0a51bb08a70ae0c0cb52