Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 12:47
Static task
static1
Behavioral task
behavioral1
Sample
e35990ef75577eea3cd4595a7298db05.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
e35990ef75577eea3cd4595a7298db05.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
e35990ef75577eea3cd4595a7298db05.exe
-
Size
450KB
-
MD5
e35990ef75577eea3cd4595a7298db05
-
SHA1
4bd3ab8b02a4c3b870b57b60027cb6621640360a
-
SHA256
cc0a3df4ed14b3d4e9344f945189df4c4a560c3c0a67f353260c66b0266a19ec
-
SHA512
84bbccc7d1b1de8bf2998585a91a80aa9d50122e6a2117162d70c26eefb82918e3d252b2cfc25ad169d2747ef994bf04f58f90b9b6134ba108167067220e1082
Score
8/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4808-130-0x0000000140000000-0x0000000140136000-memory.dmp upx behavioral2/memory/4808-132-0x0000000140000000-0x0000000140136000-memory.dmp upx -
Modifies registry class 17 IoCs
Processes:
e35990ef75577eea3cd4595a7298db05.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile e35990ef75577eea3cd4595a7298db05.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E35990~1.EXE /p \"%1\"" e35990ef75577eea3cd4595a7298db05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\shell\printto\command e35990ef75577eea3cd4595a7298db05.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID e35990ef75577eea3cd4595a7298db05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\shell\print e35990ef75577eea3cd4595a7298db05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\DefaultIcon e35990ef75577eea3cd4595a7298db05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\shell\open e35990ef75577eea3cd4595a7298db05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\shell e35990ef75577eea3cd4595a7298db05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\shell\print\command e35990ef75577eea3cd4595a7298db05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\CLSID e35990ef75577eea3cd4595a7298db05.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\CLSID\ = "{73FDDC80-AEA9-101A-98A7-00AA00374959}" e35990ef75577eea3cd4595a7298db05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\shell\open\command e35990ef75577eea3cd4595a7298db05.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E35990~1.EXE \"%1\"" e35990ef75577eea3cd4595a7298db05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\shell\printto e35990ef75577eea3cd4595a7298db05.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E35990~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\"" e35990ef75577eea3cd4595a7298db05.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E35990~1.EXE,2" e35990ef75577eea3cd4595a7298db05.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wrifile\ = "Write Document" e35990ef75577eea3cd4595a7298db05.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
e35990ef75577eea3cd4595a7298db05.exepid process 4808 e35990ef75577eea3cd4595a7298db05.exe 4808 e35990ef75577eea3cd4595a7298db05.exe 4808 e35990ef75577eea3cd4595a7298db05.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e35990ef75577eea3cd4595a7298db05.exe"C:\Users\Admin\AppData\Local\Temp\e35990ef75577eea3cd4595a7298db05.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4808-130-0x0000000140000000-0x0000000140136000-memory.dmpFilesize
1.2MB
-
memory/4808-131-0x0000000180000000-0x0000000180029000-memory.dmpFilesize
164KB
-
memory/4808-132-0x0000000140000000-0x0000000140136000-memory.dmpFilesize
1.2MB
-
memory/4808-133-0x0000000180000000-0x0000000180029000-memory.dmpFilesize
164KB