Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
-
submitted
25-07-2022 05:47
General
-
Target
561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe
-
Size
772KB
-
MD5
3702f63230e2cfd3e0b343fad2234e6b
-
SHA1
4c5e6575c2364cda2ec3010180542f7dcc458c8d
-
SHA256
561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635
-
SHA512
0bfbfa33f170e029a71d6ccac581b9cdff4cd3db1f043375d547f801643980292a85c139c2e3bd2d72ed043400f688f15832182fc9a9660961d7f75dbc2a22e1
Malware Config
Signatures
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 2 IoCs
-
Creates a Windows Service
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe"C:\Users\Admin\AppData\Local\Temp\561b9ded0711d8bb3a6f4727ca62c9713d18c937abb4ac69b7310e4f07448635.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\ouytresx.exeC:\Windows\ouytresx.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ywkkso.exeC:\Windows\SysWOW64\ywkkso.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\ywkkso.exeFilesize
72KB
MD5954ebf4e1d54326ed5c2bae097dbd664
SHA1bdeda24d1de38a71eb5c72c1fb4f2ba44168fbe5
SHA256f88b7491e614c42f8c78d6ba14f43e79b75d04d4f1da70ee5dd0ba177da20808
SHA512da06533019075cb31ce790d42e82ab4f8e23a3e2734b815c91e7bf4e42b3f36f2c677d8aacd419cb6667fb6777433050c8daf3698631bc522b2fae89f7f14076
-
C:\Windows\ouytresx.exeFilesize
72KB
MD5954ebf4e1d54326ed5c2bae097dbd664
SHA1bdeda24d1de38a71eb5c72c1fb4f2ba44168fbe5
SHA256f88b7491e614c42f8c78d6ba14f43e79b75d04d4f1da70ee5dd0ba177da20808
SHA512da06533019075cb31ce790d42e82ab4f8e23a3e2734b815c91e7bf4e42b3f36f2c677d8aacd419cb6667fb6777433050c8daf3698631bc522b2fae89f7f14076
-
C:\Windows\ouytresx.exeFilesize
72KB
MD5954ebf4e1d54326ed5c2bae097dbd664
SHA1bdeda24d1de38a71eb5c72c1fb4f2ba44168fbe5
SHA256f88b7491e614c42f8c78d6ba14f43e79b75d04d4f1da70ee5dd0ba177da20808
SHA512da06533019075cb31ce790d42e82ab4f8e23a3e2734b815c91e7bf4e42b3f36f2c677d8aacd419cb6667fb6777433050c8daf3698631bc522b2fae89f7f14076
-
memory/896-54-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/896-55-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1724-56-0x0000000000000000-mapping.dmp
-
memory/1724-58-0x0000000010000000-0x0000000010008000-memory.dmpFilesize
32KB