Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 06:26
Static task
static1
Behavioral task
behavioral1
Sample
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe
Resource
win7-20220414-en
General
-
Target
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe
-
Size
399KB
-
MD5
e035a73d8a216ce93433d036d12dd1ee
-
SHA1
97bc39189f172c07d4d46314a0138bf22a09998c
-
SHA256
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba
-
SHA512
15fcfd6de2a3158f7768359e4ccabc42dc8183c3795eeffe87b682a3020dbfc3fe734add8c7fe845de8a7f3d2055b1057acf873276071bc128ea066f4f08e7b5
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
RegAsm.exedescription ioc Process File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe File created C:\Windows\assembly\Desktop.ini RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exedescription pid Process procid_target PID 688 set thread context of 3368 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 83 -
Drops file in Windows directory 3 IoCs
Processes:
RegAsm.exedescription ioc Process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exepid Process 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid Process 3368 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exeRegAsm.exedescription pid Process Token: SeDebugPrivilege 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe Token: SeDebugPrivilege 3368 RegAsm.exe Token: 33 3368 RegAsm.exe Token: SeIncBasePriorityPrivilege 3368 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid Process 3368 RegAsm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.execsc.exedescription pid Process procid_target PID 688 wrote to memory of 1892 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 80 PID 688 wrote to memory of 1892 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 80 PID 688 wrote to memory of 1892 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 80 PID 1892 wrote to memory of 2756 1892 csc.exe 82 PID 1892 wrote to memory of 2756 1892 csc.exe 82 PID 1892 wrote to memory of 2756 1892 csc.exe 82 PID 688 wrote to memory of 3368 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 83 PID 688 wrote to memory of 3368 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 83 PID 688 wrote to memory of 3368 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 83 PID 688 wrote to memory of 3368 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 83 PID 688 wrote to memory of 3368 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 83 PID 688 wrote to memory of 3368 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 83 PID 688 wrote to memory of 3368 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 83 PID 688 wrote to memory of 3368 688 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe"C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pqtuvtq0\pqtuvtq0.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8949.tmp" "c:\Users\Admin\AppData\Local\Temp\pqtuvtq0\CSC3A0C157381EE4FAF8A4433F6F519FDE.TMP"3⤵PID:2756
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3368
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3404
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD553e7c0eaa7fea5a336c3cf9324a9d8a6
SHA13589d359be17bed7d611e57931f8d8be59b7429f
SHA256a348fd42ea495c9eab27eceaf63c57f24b7a89fd8d37a1d23cb7e80c0fa3362f
SHA51215b56944dbe73b998765a13f09bc10a059d32c53351ed9d38a79bfa6a2ee5e65f1dcf2268e344c38e119d72ba6308909f16dacdb3896745d6ba39d2c177b806d
-
Filesize
9KB
MD5e8129f39412037a1d1fc40b470c31c62
SHA174adf806e6bfa8993865ac9fecce8eb4a6dff9c9
SHA25664b5d1c1caeacb23534ba1d47ea5fd20e6cff1b2766126bbb5adf3ae7248df39
SHA51210648266b621b34be40f50925e8c873d3a7f8d05df2500b9e761408429eee2f48c6b0a24a9c44be5ddf5a9bf9765b366abee69fb436bc57ef05b1a344a7b0123
-
Filesize
29KB
MD5a8033afafc59c56fe4ef2417b2f01783
SHA16978329b69d4185e0134f4d79274e51569e1f5ad
SHA2567444e5116be7ff423dce90d3573dfbde903180b73bd3aabbfa9ceabd713c0844
SHA512e401e958c1d088fdeafd4605cfe733f8128866e6526d47524266b5005afeb34d95bdc9aaf34c1a478e66c6be78ccd845e0f8cb04e9942b5c871d74ac22e3a9a4
-
Filesize
1KB
MD5a8513a2d93cd452a792bf879707166c4
SHA1ad3f93d75c7a28fc222f2ea50cb21e7dcaefd9a9
SHA25667686b7939fe30ecda749ca360328dc48a9f0e32eff17a175fd6d2279af4d662
SHA512581ad4b98357dbef0ae3523e6d28b651642cdd214382049c5623a7708c692490c03e059a972fd9381419232e3c77cc4b5a7f7b9c249958288ff664bf5963bcb3
-
Filesize
10KB
MD52ce6b0712b18eade5ac3a9fd3cdced80
SHA189762aafc9d4de9cc19138daa335ccd3a3f10fa8
SHA2563dab14b8f11229fb2726bbb02500fbbe37326b97a4865e333f349178924a7c8c
SHA51235cb4d1c478871c1868f5438ed8ea0a0df2838e81e3e0161d4d21677aa48f9b98de0a7b6143b552ee920990495b5f10d74c33afce8db98de8241156d6a975ba4
-
Filesize
248B
MD5343ee00816dc92e16486124dbe56c2b2
SHA18ee2538aec454029bfb665e17fcfc9aebd453246
SHA256444443e53e8e5fe0292b99d8872106113f0040ae1445b5874d17719f121e3a84
SHA5121893e1e83921506661d6ff6bc03754e5c5bc26b317186434c139d78c9f65bf0060a2f9f8a58b8f8db798dcf0bc2d9d08115768eff3ef687b089878ff7e7570cd