Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-10-2022 18:09
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
457KB
-
MD5
9ecafa0a55d800f4293093989b90d595
-
SHA1
4b7388775266bf7b9edd19ff456f9dcc5a6bcd06
-
SHA256
914be79c80638787a90cb4d7598ad60a8f39634cb4858489bde36c0e32e235aa
-
SHA512
d43417b47641d815b99687c3418abb0fad2963f7466eac304d596ac61099f09ba1db3fce3a2b7e15a71f29e27476ef579b9e9200778d277acc470c26bc602b49
-
SSDEEP
3072:8ahKyd2n31If5HxTQ3fXaPm1cF8o4Y1Z8JP:8ahOOfTQvXaPm1cFrV4J
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ANSWER~1.EXEpid process 1932 ANSWER~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ANSWER~1.EXEdescription pid process Token: SeDebugPrivilege 1932 ANSWER~1.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
file.exedescription pid process target process PID 1660 wrote to memory of 1932 1660 file.exe ANSWER~1.EXE PID 1660 wrote to memory of 1932 1660 file.exe ANSWER~1.EXE PID 1660 wrote to memory of 1932 1660 file.exe ANSWER~1.EXE PID 1660 wrote to memory of 1932 1660 file.exe ANSWER~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ANSWER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ANSWER~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ANSWER~1.EXEFilesize
214.6MB
MD5bb8689d9b974d82e1d538277a9e46ea3
SHA1f2b6671113b9f855574369ead9dbbeb6acfdfefe
SHA2564af7c294e7310214795adee79cf35eb1865ef3219f9b35335d19534941c8783d
SHA512d2164c4e798d5cae0fcb2c7d589b12458a011d0ee26fdbb9e3d9995a5c1eba81a41914f06cb800fc00ed6a4befed89b14e7414ee974a6f22919b8ce58edf0304
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ANSWER~1.EXEFilesize
214.6MB
MD5bb8689d9b974d82e1d538277a9e46ea3
SHA1f2b6671113b9f855574369ead9dbbeb6acfdfefe
SHA2564af7c294e7310214795adee79cf35eb1865ef3219f9b35335d19534941c8783d
SHA512d2164c4e798d5cae0fcb2c7d589b12458a011d0ee26fdbb9e3d9995a5c1eba81a41914f06cb800fc00ed6a4befed89b14e7414ee974a6f22919b8ce58edf0304
-
memory/1932-54-0x0000000000000000-mapping.dmp
-
memory/1932-57-0x0000000000E30000-0x0000000000E42000-memory.dmpFilesize
72KB
-
memory/1932-58-0x0000000075F51000-0x0000000075F53000-memory.dmpFilesize
8KB