Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
6f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11.exe
Resource
win10v2004-20220901-en
General
-
Target
6f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11.exe
-
Size
413KB
-
MD5
70292b434f1e16533ffbdcad3bfe3de0
-
SHA1
9a66e941640c1e827ec158ac01baee2f985117a1
-
SHA256
6f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11
-
SHA512
2fab8e718a86174185a4119a3c33f9e273dad82289ea53c1db14c84a1aeb4a32b5f5d701c309c547f951e95f59716663b20d3d05086b8da44d2e649c7e294626
-
SSDEEP
12288:qJee3xHYevZcUX4lEycKpWTbD6gaaaaaaaaaaaaaaaaaOaaaaaaaaaaaaaaaaaai:qJ9BHtBcUPvKpWvGgaaaaaaaaaaaaaaS
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4280 client.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\clienter = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\client.exe\"" client.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4536 6f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11.exe 4536 6f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11.exe 4280 client.exe 4280 client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4536 6f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11.exe Token: SeDebugPrivilege 4280 client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4280 client.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4536 wrote to memory of 4280 4536 6f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11.exe 89 PID 4536 wrote to memory of 4280 4536 6f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11.exe 89 PID 4536 wrote to memory of 4280 4536 6f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11.exe"C:\Users\Admin\AppData\Local\Temp\6f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\AppData\Roaming\Microsoft\client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4280
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
413KB
MD570292b434f1e16533ffbdcad3bfe3de0
SHA19a66e941640c1e827ec158ac01baee2f985117a1
SHA2566f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11
SHA5122fab8e718a86174185a4119a3c33f9e273dad82289ea53c1db14c84a1aeb4a32b5f5d701c309c547f951e95f59716663b20d3d05086b8da44d2e649c7e294626
-
Filesize
413KB
MD570292b434f1e16533ffbdcad3bfe3de0
SHA19a66e941640c1e827ec158ac01baee2f985117a1
SHA2566f53a406ab42de9b820001b29c86f6882e83899edecd97cca59ffc729e1cfa11
SHA5122fab8e718a86174185a4119a3c33f9e273dad82289ea53c1db14c84a1aeb4a32b5f5d701c309c547f951e95f59716663b20d3d05086b8da44d2e649c7e294626