Analysis
-
max time kernel
149s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 06:36
Static task
static1
Behavioral task
behavioral1
Sample
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe
Resource
win10v2004-20220901-en
General
-
Target
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe
-
Size
413KB
-
MD5
d2dceadcd333cb893138bdeb7e98442c
-
SHA1
1a061876af7f541ad9c5dc93acc429db3157abc7
-
SHA256
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48
-
SHA512
0357625c6d18fb08777436969baf2eb1bf574dc412a4de0e05a14163e9eea6b15e7b9e0ae4763298405c076d02c9f7c952ec3b89a2f820bc4939fa3f299c9a93
-
SSDEEP
6144:guv+Fddb+BBoXWOsu72e97HTtlRHSK1PMLNmfPgNfImkTfti3Mpm8vQgZd+Wv:T2aBo/HVSIPMLvQm2w3Mpm8vQgZd+Wv
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
REG.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\KEYDJD = "C:\\Users\\Admin\\AppData\\Roaming\\NextUS\\NextUS8.exe" REG.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exedescription pid process target process PID 1720 set thread context of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe -
Runs ping.exe 1 TTPs 10 IoCs
Processes:
ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exepid process 360 ping.exe 2012 ping.exe 564 ping.exe 1684 ping.exe 280 ping.exe 1640 ping.exe 1280 ping.exe 660 ping.exe 1660 ping.exe 1036 ping.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exepid process 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 1992 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe Token: SeDebugPrivilege 1992 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 1992 RegAsm.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exedescription pid process target process PID 1720 wrote to memory of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 1720 wrote to memory of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 1720 wrote to memory of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 1720 wrote to memory of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 1720 wrote to memory of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 1720 wrote to memory of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 1720 wrote to memory of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 1720 wrote to memory of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 1720 wrote to memory of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 1720 wrote to memory of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 1720 wrote to memory of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 1720 wrote to memory of 1992 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 1720 wrote to memory of 280 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 280 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 280 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 280 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 360 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 360 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 360 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 360 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1640 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1640 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1640 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1640 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1280 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1280 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1280 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1280 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 660 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 660 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 660 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 660 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1660 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1660 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1660 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1660 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1036 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1036 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1036 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1036 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 2012 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 2012 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 2012 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 2012 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1684 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1684 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1684 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1684 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 564 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 564 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 564 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 564 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 1720 wrote to memory of 1904 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe REG.exe PID 1720 wrote to memory of 1904 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe REG.exe PID 1720 wrote to memory of 1904 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe REG.exe PID 1720 wrote to memory of 1904 1720 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe"C:\Users\Admin\AppData\Local\Temp\031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:280 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:360 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1640 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1280 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:660 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1660 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1036 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:2012 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1684 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:564 -
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "KEYDJD" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\NextUS\NextUS8.exe2⤵
- Adds Run key to start application
PID:1904