Analysis
-
max time kernel
91s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 06:36
Static task
static1
Behavioral task
behavioral1
Sample
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe
Resource
win10v2004-20220901-en
General
-
Target
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe
-
Size
413KB
-
MD5
d2dceadcd333cb893138bdeb7e98442c
-
SHA1
1a061876af7f541ad9c5dc93acc429db3157abc7
-
SHA256
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48
-
SHA512
0357625c6d18fb08777436969baf2eb1bf574dc412a4de0e05a14163e9eea6b15e7b9e0ae4763298405c076d02c9f7c952ec3b89a2f820bc4939fa3f299c9a93
-
SSDEEP
6144:guv+Fddb+BBoXWOsu72e97HTtlRHSK1PMLNmfPgNfImkTfti3Mpm8vQgZd+Wv:T2aBo/HVSIPMLvQm2w3Mpm8vQgZd+Wv
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
REG.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KEYDJD = "C:\\Users\\Admin\\AppData\\Roaming\\NextUS\\NextUS8.exe" REG.exe -
Runs ping.exe 1 TTPs 10 IoCs
Processes:
ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exepid process 1804 ping.exe 4444 ping.exe 1152 ping.exe 4228 ping.exe 1172 ping.exe 4896 ping.exe 5068 ping.exe 5052 ping.exe 4464 ping.exe 1412 ping.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exepid process 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exedescription pid process Token: SeDebugPrivilege 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exedescription pid process target process PID 2300 wrote to memory of 4112 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 2300 wrote to memory of 4112 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 2300 wrote to memory of 4112 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe RegAsm.exe PID 2300 wrote to memory of 1804 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 1804 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 1804 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 5068 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 5068 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 5068 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 5052 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 5052 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 5052 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4444 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4444 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4444 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4464 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4464 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4464 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 1412 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 1412 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 1412 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4228 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4228 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4228 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 1172 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 1172 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 1172 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4896 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4896 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4896 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 1152 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 1152 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 1152 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe ping.exe PID 2300 wrote to memory of 4040 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe REG.exe PID 2300 wrote to memory of 4040 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe REG.exe PID 2300 wrote to memory of 4040 2300 031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe"C:\Users\Admin\AppData\Local\Temp\031c9a8ee79ced6fc22d723a41ddbd3d57a9003001dbcc0eaf693f9e4f59bc48.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:4112
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1804 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:5068 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:5052 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:4444 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:4464 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1412 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:4228 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1172 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:4896 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1152 -
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "KEYDJD" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\NextUS\NextUS8.exe2⤵
- Adds Run key to start application
PID:4040