Analysis
-
max time kernel
178s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 01:28
Static task
static1
Behavioral task
behavioral1
Sample
30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe
Resource
win7-20220414-en
General
-
Target
30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe
-
Size
624KB
-
MD5
26addb13f9096b2571b9b33c7fab01f3
-
SHA1
6b5586ff7d6918a26b8df8e69b1b53a6cbde1234
-
SHA256
30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2
-
SHA512
294fc6c142d8b587bbd712e26c5b903ffab00f18900908489668a6ebdd752dcf11e2166dc5ed7b400d7b7a5aa0ac2e3ca58333daa0fd28763e4aab78aabeaa6c
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YOdFDv.url 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe -
Loads dropped DLL 4 IoCs
Processes:
30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exepid Process 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
RegAsm.exedescription ioc Process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exedescription pid Process procid_target PID 4348 set thread context of 1340 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 83 -
Drops file in Windows directory 3 IoCs
Processes:
RegAsm.exedescription ioc Process File opened for modification C:\Windows\assembly RegAsm.exe File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exepid Process 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid Process 1340 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exeRegAsm.exedescription pid Process Token: SeDebugPrivilege 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe Token: SeDebugPrivilege 1340 RegAsm.exe Token: 33 1340 RegAsm.exe Token: SeIncBasePriorityPrivilege 1340 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid Process 1340 RegAsm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.execsc.exedescription pid Process procid_target PID 4348 wrote to memory of 4136 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 80 PID 4348 wrote to memory of 4136 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 80 PID 4348 wrote to memory of 4136 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 80 PID 4136 wrote to memory of 4552 4136 csc.exe 82 PID 4136 wrote to memory of 4552 4136 csc.exe 82 PID 4136 wrote to memory of 4552 4136 csc.exe 82 PID 4348 wrote to memory of 1340 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 83 PID 4348 wrote to memory of 1340 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 83 PID 4348 wrote to memory of 1340 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 83 PID 4348 wrote to memory of 1340 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 83 PID 4348 wrote to memory of 1340 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 83 PID 4348 wrote to memory of 1340 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 83 PID 4348 wrote to memory of 1340 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 83 PID 4348 wrote to memory of 1340 4348 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe"C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uonnpqze\uonnpqze.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56DA.tmp" "c:\Users\Admin\AppData\Local\Temp\uonnpqze\CSCD3872A4BBA674BF092409468D633F8F1.TMP"3⤵PID:4552
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1340
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3436
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD523dc81ea47275bbdc44af970201cdf7c
SHA1339f32b94eb7dffa7e878644ad09c216c18ffd1f
SHA256b1ef6a86bc30b258118a7a95d9ded19caf7a937a95b7136f88d58bec503b062d
SHA51269b25ee77ad9d6511cc1912cf50ffac2ee09a6412741a06af7f646315972ae18b09d7f125058fd2051c0f9fcb80dbb5879f6c52dda201387bc25f745ece73233
-
Filesize
24KB
MD5f8a0885eb40edd9318ae6b44391a1867
SHA17df0731863c862807d75051654e88acac784bbbb
SHA256d7db5f87fe72626d03888c9744b6c2ebc5a2491bf667a15e6d78571fc5db30c9
SHA512a4fccdba36c9d993be6620e632270d2cb782b75a4a03bb6fc74ce3ef7c17c3687b9ec521c86296ae712c46787680c68c3a3cc64c0020c5a08333bf2bc45e79d6
-
Filesize
24KB
MD5f8a0885eb40edd9318ae6b44391a1867
SHA17df0731863c862807d75051654e88acac784bbbb
SHA256d7db5f87fe72626d03888c9744b6c2ebc5a2491bf667a15e6d78571fc5db30c9
SHA512a4fccdba36c9d993be6620e632270d2cb782b75a4a03bb6fc74ce3ef7c17c3687b9ec521c86296ae712c46787680c68c3a3cc64c0020c5a08333bf2bc45e79d6
-
Filesize
24KB
MD5f8a0885eb40edd9318ae6b44391a1867
SHA17df0731863c862807d75051654e88acac784bbbb
SHA256d7db5f87fe72626d03888c9744b6c2ebc5a2491bf667a15e6d78571fc5db30c9
SHA512a4fccdba36c9d993be6620e632270d2cb782b75a4a03bb6fc74ce3ef7c17c3687b9ec521c86296ae712c46787680c68c3a3cc64c0020c5a08333bf2bc45e79d6
-
Filesize
24KB
MD5f8a0885eb40edd9318ae6b44391a1867
SHA17df0731863c862807d75051654e88acac784bbbb
SHA256d7db5f87fe72626d03888c9744b6c2ebc5a2491bf667a15e6d78571fc5db30c9
SHA512a4fccdba36c9d993be6620e632270d2cb782b75a4a03bb6fc74ce3ef7c17c3687b9ec521c86296ae712c46787680c68c3a3cc64c0020c5a08333bf2bc45e79d6
-
Filesize
24KB
MD5f8a0885eb40edd9318ae6b44391a1867
SHA17df0731863c862807d75051654e88acac784bbbb
SHA256d7db5f87fe72626d03888c9744b6c2ebc5a2491bf667a15e6d78571fc5db30c9
SHA512a4fccdba36c9d993be6620e632270d2cb782b75a4a03bb6fc74ce3ef7c17c3687b9ec521c86296ae712c46787680c68c3a3cc64c0020c5a08333bf2bc45e79d6
-
Filesize
81KB
MD55baa0001ef4028618db9827cf2dbae72
SHA1b5101e6ae2d94d5953e0e84f7b5838ace347138c
SHA256d244706db6f090649bcfed42b1eda3c00b4d3d6ad47f80cf8e463faabff0e21f
SHA512cdbe708a5d49ab08aab624f5c35ac4783b562078f94b4dd770c8a34d61941140a7f16210b4b2e9d2d13617c382392bdbe836b9a2d9529bed71593295504f047b
-
Filesize
1KB
MD5be07a450ccca1855fe04df620128ca0a
SHA192b367fde3dada3f77fff4f26a8186a82db88add
SHA256c10389b770a39925ff678d1f2b0dc15b2144d951fe6f403d7fb50cda382b3027
SHA512ae43b203382ee7e032491381841a0a51921bc5e1dd0a880e99a4e5e8f84cf2e5f95c3869013583f44d10409520b24cbc029ee8f38083ff25550bbba08bfff018
-
Filesize
65KB
MD5a0ab466f52a7447731f3f571e33dc5ce
SHA146e43682762604835718e4e46b0c8abd4f392900
SHA2563584ca8e05e6280835c93957caf7c752b9f7b3e8ec7317eeaa82f2bc7853b470
SHA512e9a467aadfe45a56a0665a91ff27fc81b6dae2999cc02eb29381e62fd613022bc02de3baf4b5469046913897b3f8f56d2084053fadf46f353c5f1370326a7a99
-
Filesize
299B
MD5653fd214cb57cd59597faa52b9dc1299
SHA15e6ffce4b18a4d07514a89a1566f5c55e3dc977f
SHA2561b884b8212bbdc6bdf2194bd58a11f3fa2e88d98c3c879094f5817c82adfbfa5
SHA512b884a5b8ca1a2a0a98f84c77a5b7b4175b87aec7c38180dac84c5969e528233a588f7a6a1fd160a67def844919d13b3014baffbc7c63c5347fbd9d3be4aabf2b