Analysis
-
max time kernel
188s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:51
Static task
static1
Behavioral task
behavioral1
Sample
7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe
Resource
win10v2004-20221111-en
General
-
Target
7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe
-
Size
136KB
-
MD5
6c6bca42743b20a8940b901506a25283
-
SHA1
b7fded0712090f33b48d51695c307dd3a3e2640a
-
SHA256
7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92
-
SHA512
9fa7431d94664445d9042f4355dff9495b71646dee9d464799674a2030c909a5fd574f1eb3097d46eff2737f186eed10fb71b559159b80016f17d27586ede930
-
SSDEEP
1536:/tvSTxHYiCauuT3aKFpz5uvfxNu/MQE+Q5OO2sSABw7qrOI+8Sl8l6CZT:JSTlYpauueNvv5O9zd7qrOI+8wM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
servicesc.exepid process 4808 servicesc.exe -
Loads dropped DLL 1 IoCs
Processes:
7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exepid process 1220 7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
servicesc.exepid process 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe 4808 servicesc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exeservicesc.exepid process 1220 7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe 1220 7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe 1220 7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe 4808 servicesc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exedescription pid process target process PID 1220 wrote to memory of 4808 1220 7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe servicesc.exe PID 1220 wrote to memory of 4808 1220 7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe servicesc.exe PID 1220 wrote to memory of 4808 1220 7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe servicesc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe"C:\Users\Admin\AppData\Local\Temp\7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\servicesc.exeC:\Users\Admin\AppData\Local\Temp\servicesc.exe 7fbc352820a8bdbe1dfed140a005e236fe2112719e691f4c4e9c64be69072e92.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4808
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csh.dllFilesize
68KB
MD58b8e53a924e28feb6a014b17910f5800
SHA13da6912715efb0268e4e886949c8ad55e41acdcb
SHA25619fde3fb9e6b0282555ff6f4f99da8ad1294e10b115d4c925c22147a8ea17b00
SHA51236f94c032765af4f764ca6ada3b56a61f8466166d38505461efb5f17bb3f6bd4adfde9a990db64c53d488fe75df26a0e1d528fa9eee2010f05e20d97ece00f7d
-
C:\Users\Admin\AppData\Local\Temp\servicesc.exeFilesize
32KB
MD5564b45c7bf27eabd55cdfbde14f81e09
SHA1e69b69b1b69f7d6333af8500792bc378b15ace5a
SHA2565fe1e869c881aad786f1ca044faa2b57a6f0505b0b2892daf8d1837eeae99ac2
SHA512043037525904987eb6ddd06d0adce933eea3aaeda9797ca8636af419dbe820c122960d47f14076c7b7f1ff61f29774c90f454e14025090643cc6b41271c579ed
-
C:\Users\Admin\AppData\Local\Temp\servicesc.exeFilesize
32KB
MD5564b45c7bf27eabd55cdfbde14f81e09
SHA1e69b69b1b69f7d6333af8500792bc378b15ace5a
SHA2565fe1e869c881aad786f1ca044faa2b57a6f0505b0b2892daf8d1837eeae99ac2
SHA512043037525904987eb6ddd06d0adce933eea3aaeda9797ca8636af419dbe820c122960d47f14076c7b7f1ff61f29774c90f454e14025090643cc6b41271c579ed
-
memory/4808-135-0x0000000000000000-mapping.dmp