37e17b0957c9b4b93bb5e72fa3a91ddd36524f1dd1d21b04dbc564649078bc79

Analysis

max time kernel
885s
max time network
892s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16-08-2022 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Skype.exe
Size

66.8MB
MD5

c098d8d920dafe67045eb2dfbc366ed0
SHA1

1f577c4495b36350f2c69639d652f991e752b912
SHA256

37e17b0957c9b4b93bb5e72fa3a91ddd36524f1dd1d21b04dbc564649078bc79
SHA512

2789c1fdc40123a0de3b3109078b2ba3c69943c6732322fc62382e6a022b0dbbc269b139b752f37072514fb8e857f6338945fe581fc8220087d8dee96a7dbb8a

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Skype.tmp

pid process

1644 Skype.tmp
Loads dropped DLL 3 IoCs

Processes:

Skype.exeSkype.tmp

pid process

1492 Skype.exe
1644 Skype.tmp
1644 Skype.tmp

pid	process
1644	Skype.tmp

pid	process
1492	Skype.exe
1644	Skype.tmp
1644	Skype.tmp

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

Skype.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast\Version	Skype.tmp
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast\Version	Skype.tmp
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVG\AV\Dir	Skype.tmp
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVG\AV\Dir	Skype.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Skype.tmp

pid process

1644 Skype.tmp

pid	process
1644	Skype.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Skype.exe

description	pid	process	target process
PID 1492 wrote to memory of 1644	1492	Skype.exe	Skype.tmp
PID 1492 wrote to memory of 1644	1492	Skype.exe	Skype.tmp
PID 1492 wrote to memory of 1644	1492	Skype.exe	Skype.tmp
PID 1492 wrote to memory of 1644	1492	Skype.exe	Skype.tmp
PID 1492 wrote to memory of 1644	1492	Skype.exe	Skype.tmp
PID 1492 wrote to memory of 1644	1492	Skype.exe	Skype.tmp
PID 1492 wrote to memory of 1644	1492	Skype.exe	Skype.tmp

C:\Users\Admin\AppData\Local\Temp\Skype.exe
"C:\Users\Admin\AppData\Local\Temp\Skype.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\is-GCCHG.tmp\Skype.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GCCHG.tmp\Skype.tmp" /SL5="$60120,69621230,488960,C:\Users\Admin\AppData\Local\Temp\Skype.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Security Software Discovery

T1063

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-GCCHG.tmp\Skype.tmp
Filesize
1.5MB

MD5
789fa963c8b4ea28f5c000fc02bcdcd1

SHA1
2b2c2731a02c75fcb4b229d17866319cbe9c709d

SHA256
823faf9171969b0572853dd345963717e17288a469c202cd64ee2370d3672278

SHA512
dbb7352aaedfba5eed90df36c0f800cfa55ee08eed3559ad76e27edb67c07b400b7ae18a262c2fbcaf0cfbfcac496a0bbba3d8dd9a939446042aced08fe9a393

Download Submit
\Users\Admin\AppData\Local\Temp\is-9S0FR.tmp\NativeUID.dll
Filesize
86KB

MD5
d47e7649fc7b9bd91c7d091fde71b889

SHA1
19f11f2135982df97b9fda8fa5c9ce7813c99b1e

SHA256
a2583dbfd24d9061954dc185d1d5e43cff71ccc1342c6e87d7c349b70e8fa9ab

SHA512
262510f7ced40dc69e804a2b675b71a2ca25e9195428a55537c6dc3a7845bdcc8a8273e83a439bac05bc15bb4d194810cdda2b08678a6a9cd8a0b5eb628f1017

Download Submit
\Users\Admin\AppData\Local\Temp\is-9S0FR.tmp\botva2.dll
Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-GCCHG.tmp\Skype.tmp
Filesize
1.5MB

MD5
789fa963c8b4ea28f5c000fc02bcdcd1

SHA1
2b2c2731a02c75fcb4b229d17866319cbe9c709d

SHA256
823faf9171969b0572853dd345963717e17288a469c202cd64ee2370d3672278

SHA512
dbb7352aaedfba5eed90df36c0f800cfa55ee08eed3559ad76e27edb67c07b400b7ae18a262c2fbcaf0cfbfcac496a0bbba3d8dd9a939446042aced08fe9a393

Download Submit
memory/1492-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1492-55-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1492-62-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1644-58-0x0000000000000000-mapping.dmp

Download