Analysis
-
max time kernel
25s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-10-2022 06:00
Static task
static1
Behavioral task
behavioral1
Sample
CHEESE.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
General
-
Target
CHEESE.exe
-
Size
2.4MB
-
MD5
12ef571baf523c098fc4e96bb3759c21
-
SHA1
b476dd2bed415fbbc9c96e4a33160d12bf8413bb
-
SHA256
2180293a0c0b7340f85543d453c10e8f9a059b69a530428fe1858e92a7fa63c3
-
SHA512
e4e2354ee21ede5f3a61c00ac9766736e55e23bd3577b5bc41a7f493b8143159ca8d771fad7af4ee4b7fd56be450b82651f0ce87b82e873119e9f1655ac7249a
-
SSDEEP
24576:DYof7x+kxP2gEDiYbYXQZCsuMUTSyzdvi1ucvgDfR1JJMK3LTiF+cTl3RuQ5531C:kozx+kxugEaYu1JJMK3n/al3Q
Malware Config
Extracted
Family
erbium
C2
http://77.73.133.53/cloud/index.php
Signatures
-
Downloads MZ/PE file
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 112 set thread context of 98724 112 CHEESE.exe 28 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 112 wrote to memory of 98724 112 CHEESE.exe 28 PID 112 wrote to memory of 98724 112 CHEESE.exe 28 PID 112 wrote to memory of 98724 112 CHEESE.exe 28 PID 112 wrote to memory of 98724 112 CHEESE.exe 28 PID 112 wrote to memory of 98724 112 CHEESE.exe 28 PID 112 wrote to memory of 98724 112 CHEESE.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\CHEESE.exe"C:\Users\Admin\AppData\Local\Temp\CHEESE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:98724
-