Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-06-2022 19:20
Static task
static1
Behavioral task
behavioral1
Sample
34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe
Resource
win7-20220414-en
General
-
Target
34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe
-
Size
854KB
-
MD5
f5081dc1115e74ceee116f089cfe8b96
-
SHA1
36085d6cf0ef3cc3f24f8efe4ee7286f28a0d28c
-
SHA256
34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4
-
SHA512
776c0a4c34ef55a316309547fcfdd93910f381ae7be3bdddb82247f3255f2430fd07faf143bdb02e1db8f7112b7bcd265c6a2f5fd4abd8bced46e3171527adb0
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tcQMAw.url 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
RegAsm.exedescription ioc Process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exedescription pid Process procid_target PID 4776 set thread context of 1260 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 83 -
Drops file in Windows directory 3 IoCs
Processes:
RegAsm.exedescription ioc Process File opened for modification C:\Windows\assembly RegAsm.exe File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exepid Process 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid Process 1260 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exeRegAsm.exedescription pid Process Token: SeDebugPrivilege 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe Token: SeDebugPrivilege 1260 RegAsm.exe Token: 33 1260 RegAsm.exe Token: SeIncBasePriorityPrivilege 1260 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid Process 1260 RegAsm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.execsc.exedescription pid Process procid_target PID 4776 wrote to memory of 548 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 80 PID 4776 wrote to memory of 548 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 80 PID 4776 wrote to memory of 548 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 80 PID 548 wrote to memory of 1396 548 csc.exe 82 PID 548 wrote to memory of 1396 548 csc.exe 82 PID 548 wrote to memory of 1396 548 csc.exe 82 PID 4776 wrote to memory of 1260 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 83 PID 4776 wrote to memory of 1260 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 83 PID 4776 wrote to memory of 1260 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 83 PID 4776 wrote to memory of 1260 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 83 PID 4776 wrote to memory of 1260 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 83 PID 4776 wrote to memory of 1260 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 83 PID 4776 wrote to memory of 1260 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 83 PID 4776 wrote to memory of 1260 4776 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe"C:\Users\Admin\AppData\Local\Temp\34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\spgn5f4b\spgn5f4b.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA434.tmp" "c:\Users\Admin\AppData\Local\Temp\spgn5f4b\CSC6F2F74062EBB4F3FBE3F71C910F57258.TMP"3⤵PID:1396
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1260
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4168
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d8273a84acf462f246ff2bdc7f16eb8c
SHA1c1e9904eb91b8bf1ea6a10aef9fdedcb4a820f6b
SHA256462febfca228b9ed95b650145360673dd0f7e563fe38f99af258204b3a8f5a28
SHA5122f6775fe3d45104513ffe08166983a0705f4d18a8c56eb84488bff6ce74da6d5857c43c77f604fda2d3f7eab6d63991ed0e79ba9a11872fcb5acbdd668b9ac92
-
Filesize
12KB
MD54d680061a9ea1bd7d9f67bd56f42689e
SHA19fd1ee8573d700ae71226f74ba1d4b23c5a1e736
SHA256af7ea859c422be220c01ad15985c8399fe6785966e725ea0ee88d67f05145ae9
SHA512eda9fdbd8dc9163479969826d70162aa4c62412c61b9d12a56dd04cdafa90b4d08c4a0e853163cd62815ad5806630646af014f3df49e12e35a82a1315e7af306
-
Filesize
39KB
MD5da55e73b18601dfb02b191670d09773d
SHA1255b7fe3fe32f16e9087fa8e79867ca19d953a71
SHA256c194e1f23c191c5925e7b9992a084d230a20a174d73986535f25e3832a2b17c5
SHA5126a26f6892ea2d30449900d0f923e84ea7876c4a9c39fbf57ce16944e2d76b950160dc1e384a93c578aca407f8b395f9e025c7dbda1aad1ffebde3a0f33a06037
-
Filesize
1KB
MD53ba9ada869b5bff7815562664b9b07f8
SHA1e3057aae822c0aaa46a4fe4ea8b5715d89c78583
SHA256cdb742248fd92dd16aeec37dd8e782d3937529d92c87ee2f9003c9bdf8c799ba
SHA512a4b98cf1d69d94bad5148287b268cea0f27e9818779d6feb1b5b0451a48ab6be576d1586413e656218bf9c2f4eff02031e548971b5d63135aa2e0d3764b52d66
-
Filesize
18KB
MD5096b1fa2af5a25c5b40610fe88219eb6
SHA1fdc4272a990a72444bbb381af8bab487968f49b0
SHA256a3cca5c4decede9d932aa43a21462c42fb3983af12aa6cf3c253fe47e44018bd
SHA512ae7204895b5ead2b96b0fe9fb67bc25adf7ca3c421d9a5c9ae2fb3276078b6f4110e9fac919416e96c037fff8143916a3c7f1fc981b8e4584e5a6794f0e92793
-
Filesize
312B
MD501e83b0312f782c52a66eec38a50a127
SHA1a26295ebb10f5a3a41d82976478c3bc0879f1280
SHA256b5d9d35be734f6ddd790a523bd08c5729fc61620b9e79b5e43a16c69e067d592
SHA512350b7dacd4aec21bcd14298de86ec33c5a4c3274793803620c4265f381a2243c57f78ad888d71106d1a8eb1cf196d5e29982da598cc15325d1da555446fbe0ae