Analysis

  • max time kernel
    14s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 13:43

General

  • Target

    8c230b2a8590d0b8098b01cf727f392593f7e4aaa7e7088bb8ffacd3a72616ca.exe

  • Size

    125KB

  • MD5

    a09512032782e9629eac39b71f666c70

  • SHA1

    b459dee03d4e70b7aa3bb85a22834162b10a5fd6

  • SHA256

    8c230b2a8590d0b8098b01cf727f392593f7e4aaa7e7088bb8ffacd3a72616ca

  • SHA512

    c63fc3f753d1afb7a243a594d42f0dbfb1f26e1bb8d11c11c474e05f73e95dcd1a2eb00bd5e89a91a623ee537b67c71ce68870257af2f52f36d99db96298e79b

  • SSDEEP

    1536:2ZeNavxhkC0FNGrX8CSFEijmeybdJCM8cHR/d6IVtNY9QEmZzplWQRkY/xLB/:2ZeNa5ITmeyrCMdH2AY7SlWQRP/xLB/

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1420
      • C:\Users\Admin\AppData\Local\Temp\8c230b2a8590d0b8098b01cf727f392593f7e4aaa7e7088bb8ffacd3a72616ca.exe
        "C:\Users\Admin\AppData\Local\Temp\8c230b2a8590d0b8098b01cf727f392593f7e4aaa7e7088bb8ffacd3a72616ca.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1448
        • C:\Users\Admin\AppData\Local\Temp\8c230b2a8590d0b8098b01cf727f392593f7e4aaa7e7088bb8ffacd3a72616ca.exe
          "C:\Users\Admin\AppData\Local\Temp\8c230b2a8590d0b8098b01cf727f392593f7e4aaa7e7088bb8ffacd3a72616ca.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Adds Run key to start application
          • Drops desktop.ini file(s)
          • Modifies WinLogon
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:316

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/316-54-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

    • memory/316-55-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

    • memory/316-57-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

    • memory/316-58-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

    • memory/316-59-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

    • memory/316-60-0x0000000000401920-mapping.dmp

    • memory/316-63-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

    • memory/1448-61-0x0000000000220000-0x0000000000223000-memory.dmp

      Filesize

      12KB