Analysis
-
max time kernel
43s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 07:01
Static task
static1
Behavioral task
behavioral1
Sample
46ee250665a9309d49ff4efa9b6de0c5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
46ee250665a9309d49ff4efa9b6de0c5.exe
Resource
win10v2004-20220901-en
General
-
Target
46ee250665a9309d49ff4efa9b6de0c5.exe
-
Size
129KB
-
MD5
46ee250665a9309d49ff4efa9b6de0c5
-
SHA1
50d0c50fbe6e602546eca3ca6190196ea68e9a81
-
SHA256
45136071c0cb88b6cbf83675992b439590a0f3425c6f3a8ee548c5228d0d9e6f
-
SHA512
87afabbd3816148385dd5e31d45bc976414027f7850a0836426ae5ad6bf9417376cfd4fb5142972565fa462ba264e0de9791e9f870dff1e1bb922137e875d30f
-
SSDEEP
3072:OHuz0Qb6GVlzsmn0+ZIOviaV0k4XoVlJ8n:OE0Q28omnlZsWJO
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
1234.exepid process 324 1234.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1234.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\aaa = "C:\\Users\\Public\\1234.exe" 1234.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
46ee250665a9309d49ff4efa9b6de0c5.exe1234.exesvchost.exepid process 1812 46ee250665a9309d49ff4efa9b6de0c5.exe 1812 46ee250665a9309d49ff4efa9b6de0c5.exe 324 1234.exe 324 1234.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
46ee250665a9309d49ff4efa9b6de0c5.exedescription pid process Token: SeDebugPrivilege 1812 46ee250665a9309d49ff4efa9b6de0c5.exe Token: SeImpersonatePrivilege 1812 46ee250665a9309d49ff4efa9b6de0c5.exe Token: SeDebugPrivilege 1812 46ee250665a9309d49ff4efa9b6de0c5.exe Token: SeImpersonatePrivilege 1812 46ee250665a9309d49ff4efa9b6de0c5.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
1234.exedescription pid process target process PID 324 wrote to memory of 1912 324 1234.exe svchost.exe PID 324 wrote to memory of 1912 324 1234.exe svchost.exe PID 324 wrote to memory of 1912 324 1234.exe svchost.exe PID 324 wrote to memory of 1912 324 1234.exe svchost.exe PID 324 wrote to memory of 1912 324 1234.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46ee250665a9309d49ff4efa9b6de0c5.exe"C:\Users\Admin\AppData\Local\Temp\46ee250665a9309d49ff4efa9b6de0c5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\1234.exeC:\1234.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\svchost.exec:\windows\SysWOW64\svchost.exe2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\1234.exeFilesize
1.6MB
MD55d8ab1d3b48afab34fab8930c3e56793
SHA164c4e251af2970abc2e24bc3c3de0448103afd6d
SHA25686ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4
SHA512f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085
-
C:\1234.exeFilesize
1.6MB
MD55d8ab1d3b48afab34fab8930c3e56793
SHA164c4e251af2970abc2e24bc3c3de0448103afd6d
SHA25686ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4
SHA512f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085
-
C:\libcef.dllFilesize
90KB
MD512b71771467bb1d2d2f5f1a793836f7a
SHA18c86374aa8a4604be47dbe2b9cd84885f04a1cb4
SHA256ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87
SHA51259e80e81afd24abf102dde95bca8f07492c35c854b1744d51b4438be445449385d8865f4567010c20aeb042b2d39cf71e5e6e4d870073e4c500315721c62dac4
-
memory/324-56-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB
-
memory/1812-54-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmpFilesize
8KB
-
memory/1912-59-0x0000000000000000-mapping.dmp
-
memory/1912-61-0x0000000010000000-0x0000000010026000-memory.dmpFilesize
152KB
-
memory/1912-64-0x00000000001F0000-0x000000000023E000-memory.dmpFilesize
312KB