Analysis
-
max time kernel
151s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 01:40
Static task
static1
Behavioral task
behavioral1
Sample
d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe
Resource
win7-20220901-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe
-
Size
216KB
-
MD5
0f2e4b155f2857a80dc325b7a7b79f61
-
SHA1
d566035c49966bf4344bd1cd54eb6a52f5b83aed
-
SHA256
d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798
-
SHA512
07e50d190dc2a8e429ee7ec34260502322882ac0565a453662b724a394cfd71234cba59aaac5874d66e724af02ce5b66535413f8b372e617c97a2614c06f6657
-
SSDEEP
6144:YItxogSWgawEHyuKRo560rNqQWe8m1LQd7LG6XOKsW:YItxlPhQNRo53r0S1LOXOKT
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1048 jthhjaw.exe -
Deletes itself 1 IoCs
pid Process 2028 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2012 set thread context of 2028 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 28 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\jthhjaw.exe d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe File opened for modification C:\Windows\jthhjaw.exe d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe 1048 jthhjaw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1048 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 27 PID 2012 wrote to memory of 1048 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 27 PID 2012 wrote to memory of 1048 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 27 PID 2012 wrote to memory of 1048 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 27 PID 1048 wrote to memory of 1348 1048 jthhjaw.exe 16 PID 2012 wrote to memory of 2028 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 28 PID 2012 wrote to memory of 2028 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 28 PID 2012 wrote to memory of 2028 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 28 PID 2012 wrote to memory of 2028 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 28 PID 2012 wrote to memory of 2028 2012 d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe 28 PID 1048 wrote to memory of 1348 1048 jthhjaw.exe 16 PID 1048 wrote to memory of 1348 1048 jthhjaw.exe 16 PID 1048 wrote to memory of 1348 1048 jthhjaw.exe 16 PID 1048 wrote to memory of 1348 1048 jthhjaw.exe 16 PID 1048 wrote to memory of 1348 1048 jthhjaw.exe 16 PID 1048 wrote to memory of 1348 1048 jthhjaw.exe 16 PID 1048 wrote to memory of 1348 1048 jthhjaw.exe 16 PID 1048 wrote to memory of 1348 1048 jthhjaw.exe 16
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe"C:\Users\Admin\AppData\Local\Temp\d12899e68fd739a9c944c034a98b90e99c7dc89143093e8600a8c6d4778ce798.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\jthhjaw.exeC:\Windows\jthhjaw.exe a3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Deletes itself
PID:2028
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5d879c724ab936a285db88909723a5102
SHA11996b3fc8e5f8bad1ff3584e868404f13014b6da
SHA256bd61ec182bd7fb9f4a6bac1e9688c7625d12b36ff3cad74cde6acbdc8b419ecb
SHA5124a0fd08adf20141349b65d1fee449a82ebb050759fa8a0fe73af975e360016fff409267aad9b525e8e479c5aa08f7ff3afb7afb54dbff81420d1d3ec89f98f82