Analysis
-
max time kernel
133s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa.exe
Resource
win10v2004-20220812-en
General
-
Target
f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa.exe
-
Size
484KB
-
MD5
b8be0deb46ee19c5e612b1c5e22371b7
-
SHA1
b62936f3db478e2296d090cb00615064489d2451
-
SHA256
f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa
-
SHA512
e18660b57624a4e837f200ba47d199641862cd3c93be07f28984f728f112ddcc2a8a37906ae36a17eb92ea408a8e2f4619c3c3f4a18e91cc33835bea364083f8
-
SSDEEP
12288:3chWZgCikuFGy7eonCHoQHodirBrIi8Go0:7ZgCW7eNHLrx8x0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1672 qdpskxvxmgbtwy.exe -
Loads dropped DLL 2 IoCs
pid Process 1380 f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa.exe 1380 f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main qdpskxvxmgbtwy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1672 qdpskxvxmgbtwy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1672 qdpskxvxmgbtwy.exe 1672 qdpskxvxmgbtwy.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1380 wrote to memory of 1672 1380 f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa.exe 27 PID 1380 wrote to memory of 1672 1380 f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa.exe 27 PID 1380 wrote to memory of 1672 1380 f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa.exe 27 PID 1380 wrote to memory of 1672 1380 f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa.exe"C:\Users\Admin\AppData\Local\Temp\f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\qdpskxvxmgbtwy.exe"C:\Users\Admin\AppData\Local\Temp\\qdpskxvxmgbtwy.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1672
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD5b8be0deb46ee19c5e612b1c5e22371b7
SHA1b62936f3db478e2296d090cb00615064489d2451
SHA256f11a130df4d1819304707c176b535375f41f00ab6dcce09f167d33704dbc25fa
SHA512e18660b57624a4e837f200ba47d199641862cd3c93be07f28984f728f112ddcc2a8a37906ae36a17eb92ea408a8e2f4619c3c3f4a18e91cc33835bea364083f8
-
Filesize
32KB
MD5f12250682afd4e9b63be5bffbaef991c
SHA1e4c718119fdd5421300520ea45f5da914ef1b1bd
SHA256a49f96474edd004e75d4e92e9a4c165832487cbb11b58ea4664d7b7ca709ee44
SHA5123c13b2173ec5f2f7b99ac0e1d341285824f18cb8393d36510470ce17e6cdb88ba91e1223a1cd952f5e07cecc4d06a0bd881a863d5733fa93610670744e53c96d
-
Filesize
32KB
MD5f12250682afd4e9b63be5bffbaef991c
SHA1e4c718119fdd5421300520ea45f5da914ef1b1bd
SHA256a49f96474edd004e75d4e92e9a4c165832487cbb11b58ea4664d7b7ca709ee44
SHA5123c13b2173ec5f2f7b99ac0e1d341285824f18cb8393d36510470ce17e6cdb88ba91e1223a1cd952f5e07cecc4d06a0bd881a863d5733fa93610670744e53c96d
-
Filesize
32KB
MD5f12250682afd4e9b63be5bffbaef991c
SHA1e4c718119fdd5421300520ea45f5da914ef1b1bd
SHA256a49f96474edd004e75d4e92e9a4c165832487cbb11b58ea4664d7b7ca709ee44
SHA5123c13b2173ec5f2f7b99ac0e1d341285824f18cb8393d36510470ce17e6cdb88ba91e1223a1cd952f5e07cecc4d06a0bd881a863d5733fa93610670744e53c96d
-
Filesize
32KB
MD5f12250682afd4e9b63be5bffbaef991c
SHA1e4c718119fdd5421300520ea45f5da914ef1b1bd
SHA256a49f96474edd004e75d4e92e9a4c165832487cbb11b58ea4664d7b7ca709ee44
SHA5123c13b2173ec5f2f7b99ac0e1d341285824f18cb8393d36510470ce17e6cdb88ba91e1223a1cd952f5e07cecc4d06a0bd881a863d5733fa93610670744e53c96d