Analysis
-
max time kernel
153s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 09:44
General
-
Target
d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe
-
Size
306KB
-
MD5
f3ebfa7620168235291806a159b573ff
-
SHA1
3dcd61c8efe9a1e4b9eba69da5e288c3103cfb51
-
SHA256
d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a
-
SHA512
8f191287944d1afd1148a9039068601a5111b4182ef1379b83139c7617a19a3943b7c924d0a5db63d5caab72c2e0cda8f396c7f686dc83ddd86c128bb2e7dcef
-
SSDEEP
6144:esAAud4378+l4A4qxy/3wyhu1r4/G3MbCr5X79e/cPszxSg:esAIr7SA48UnFOcS5Xac
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe"C:\Users\Admin\AppData\Local\Temp\d348da2e46c8cc8b6306538a30c592ae3fd42bbf45193ce2fd9ab5c6f332fc4a.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Udoqn\nuygyf.exe"C:\Users\Admin\AppData\Roaming\Udoqn\nuygyf.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\PNWA8F4.bat"3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PNWA8F4.batFilesize
303B
MD55159013a8c6a41bdad5f4592d8cbe91d
SHA16ea5d5c7ed26e64029f2d8f5557bc44d95038189
SHA25612d2ade27cdfd1d86643e374bd95fc4dfe29c86d6e0ad1cc7f496165a1fccda7
SHA512ca0b238d753cacc5cc2884cbf2d1257629bfd2b8aff2c053f8c2011e0dead7be6afdfc2d2a4c6c173fd1bdf61eb69ee13cf021730f28a57fce7716cf5380273b
-
C:\Users\Admin\AppData\Roaming\Udoqn\nuygyf.exeFilesize
306KB
MD56dc8aeac4f607ad86e586c8789cc0e6e
SHA12fe19588d5c07b44bf9eec5990e68179481e078d
SHA2565a0ee1257e5653b65d6f750be16f875eaeeee5264b5680d4975e077612119a8f
SHA51243f9336bd70b7d4ed783a8b161b3bbd19a49deb77491739faa006d03ae2b8c753c11a2ddd221a3ff97736e09df2a1c4f3a5fd375b3e6c214e77bfc557732c30c
-
C:\Users\Admin\AppData\Roaming\Udoqn\nuygyf.exeFilesize
306KB
MD56dc8aeac4f607ad86e586c8789cc0e6e
SHA12fe19588d5c07b44bf9eec5990e68179481e078d
SHA2565a0ee1257e5653b65d6f750be16f875eaeeee5264b5680d4975e077612119a8f
SHA51243f9336bd70b7d4ed783a8b161b3bbd19a49deb77491739faa006d03ae2b8c753c11a2ddd221a3ff97736e09df2a1c4f3a5fd375b3e6c214e77bfc557732c30c
-
memory/2632-151-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2632-146-0x0000000000D20000-0x0000000000D69000-memory.dmpFilesize
292KB
-
memory/2632-156-0x0000000000D20000-0x0000000000D69000-memory.dmpFilesize
292KB
-
memory/2632-153-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2632-154-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2632-152-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2632-150-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2632-149-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2632-148-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2632-145-0x0000000000000000-mapping.dmp
-
memory/4744-142-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/4744-147-0x0000000002670000-0x00000000026B9000-memory.dmpFilesize
292KB
-
memory/4744-144-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/4744-143-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/4744-133-0x0000000000401000-0x0000000000442000-memory.dmpFilesize
260KB
-
memory/4744-141-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/4744-140-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/4744-139-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/4744-132-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/4752-134-0x0000000000000000-mapping.dmp
-
memory/4752-137-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB