Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2022 18:36
Behavioral task
behavioral1
Sample
3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe
Resource
win7-20220718-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe
-
Size
181KB
-
MD5
19230db458718df6fa70d9817925ac7a
-
SHA1
04eba42e98b996b5b9e1783e37de8b45c42d56f4
-
SHA256
3c0512176cbca3ce1b0abc5f505a3abbcd39909c20095d995f019197f42439d3
-
SHA512
81b7c7e56d37ac11294ec815ca90e84c528385941caf410f205ae6c181ca5e7a47e4dd8d572df9e5e6ac3a0caf58768d6049755c030aa67b8b2101b7af401712
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMAP Monitor = "C:\\Program Files\\IMAP Monitor\\imapmon.exe" 3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe -
Processes:
3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe -
Drops file in Program Files directory 2 IoCs
Processes:
3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exedescription ioc process File created C:\Program Files\IMAP Monitor\imapmon.exe 3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe File opened for modification C:\Program Files\IMAP Monitor\imapmon.exe 3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exepid process 4924 3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe 4924 3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe 4924 3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exepid process 4924 3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exedescription pid process Token: SeDebugPrivilege 4924 3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe Token: SeDebugPrivilege 4924 3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe"C:\Users\Admin\AppData\Local\Temp\3C0512176CBCA3CE1B0ABC5F505A3ABBCD39909C20095.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken