Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 16:08
Static task
static1
Behavioral task
behavioral1
Sample
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
-
Size
484KB
-
MD5
124d636100ebd7a0150b180a54536108
-
SHA1
1961e8a42971d2d40226f9c5bc405e81430d10b0
-
SHA256
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be
-
SHA512
b55d5380f4d02881838591a15047a42c8da784faf78a0f0aa592d7c9be6aa240bd0c30fc606c018ccec645afdbd05958a0e3e3fc2aebe2edbd7a4b96ce12194f
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe" 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe -
Processes:
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exedescription pid process target process PID 532 set thread context of 912 532 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe -
Drops file in Program Files directory 2 IoCs
Processes:
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exedescription ioc process File opened for modification C:\Program Files (x86)\ARP Service\arpsvc.exe 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe File created C:\Program Files (x86)\ARP Service\arpsvc.exe 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exepid process 912 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe 912 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exepid process 912 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exedescription pid process Token: SeDebugPrivilege 912 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exepid process 532 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exepid process 912 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exedescription pid process target process PID 532 wrote to memory of 912 532 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe PID 532 wrote to memory of 912 532 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe PID 532 wrote to memory of 912 532 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe PID 532 wrote to memory of 912 532 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe 3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe"C:\Users\Admin\AppData\Local\Temp\3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exeC:\Users\Admin\AppData\Local\Temp\3b8aa90ed1f241485bce6c194bb553fcd8dc1e06c94ddc95e5f36dcccdb341be.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/532-59-0x0000000077040000-0x00000000771C0000-memory.dmpFilesize
1.5MB
-
memory/532-57-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/532-56-0x00000000002C0000-0x00000000002C7000-memory.dmpFilesize
28KB
-
memory/912-62-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/912-60-0x00000000001B0000-0x00000000001B7000-memory.dmpFilesize
28KB
-
memory/912-63-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/912-58-0x000000000046CCCE-mapping.dmp
-
memory/912-64-0x0000000077040000-0x00000000771C0000-memory.dmpFilesize
1.5MB
-
memory/912-65-0x0000000077040000-0x00000000771C0000-memory.dmpFilesize
1.5MB
-
memory/912-66-0x0000000008870000-0x0000000009368000-memory.dmpFilesize
11.0MB
-
memory/912-67-0x0000000009370000-0x00000000094F8000-memory.dmpFilesize
1.5MB
-
memory/912-68-0x0000000073FD0000-0x000000007457B000-memory.dmpFilesize
5.7MB
-
memory/912-69-0x0000000073FD0000-0x000000007457B000-memory.dmpFilesize
5.7MB