Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 23:58
Static task
static1
Behavioral task
behavioral1
Sample
322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe
-
Size
367KB
-
MD5
ded146214a283a5c58301f36553b751d
-
SHA1
e3794ad89f46ec2349f6d16604487f58e435b020
-
SHA256
322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99
-
SHA512
0eb82c4dc8b3e97f2c62c102de91405878cbc21c1b1f7799d7e023a7e00f45da0cc70eb69a863ece035695a00dd577f5bc907a546cc13dfd9f4cab298263b103
-
SSDEEP
6144:7VZwpRCPa7z+6TapPFaAa23dBCRzTVY+0GLz4MAyYf9GKa9lJjdR3GxXNY:hZu4akpPa2NBE0GLz4MAyYf9GKazJr3a
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3532 MCkBErWgTJRddRU.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\2ete64.vas Process not Found File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\2ete64.vas Process not Found -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\MCkBErWgTJRddRU.exe 322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4964 322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe 4964 322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe 3532 MCkBErWgTJRddRU.exe 3532 MCkBErWgTJRddRU.exe 3532 MCkBErWgTJRddRU.exe 3532 MCkBErWgTJRddRU.exe 3532 MCkBErWgTJRddRU.exe 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found 768 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3532 MCkBErWgTJRddRU.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4964 322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe Token: SeDebugPrivilege 3532 MCkBErWgTJRddRU.exe Token: SeDebugPrivilege 768 Process not Found -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4964 wrote to memory of 3532 4964 322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe 82 PID 4964 wrote to memory of 3532 4964 322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe 82 PID 4964 wrote to memory of 3532 4964 322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe 82 PID 768 wrote to memory of 4220 768 Process not Found 88 PID 768 wrote to memory of 4220 768 Process not Found 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe"C:\Users\Admin\AppData\Local\Temp\322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\MCkBErWgTJRddRU.exeC:\Users\Admin\AppData\Local\Temp\322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:4220
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367KB
MD5ded146214a283a5c58301f36553b751d
SHA1e3794ad89f46ec2349f6d16604487f58e435b020
SHA256322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99
SHA5120eb82c4dc8b3e97f2c62c102de91405878cbc21c1b1f7799d7e023a7e00f45da0cc70eb69a863ece035695a00dd577f5bc907a546cc13dfd9f4cab298263b103
-
Filesize
367KB
MD5ded146214a283a5c58301f36553b751d
SHA1e3794ad89f46ec2349f6d16604487f58e435b020
SHA256322c23e356c9d46bd42d140635f81add046d51f0dd11649995c2d7b707cb3b99
SHA5120eb82c4dc8b3e97f2c62c102de91405878cbc21c1b1f7799d7e023a7e00f45da0cc70eb69a863ece035695a00dd577f5bc907a546cc13dfd9f4cab298263b103