Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 16:43
Static task
static1
Behavioral task
behavioral1
Sample
8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe
Resource
win10v2004-20221111-en
General
-
Target
8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe
-
Size
101KB
-
MD5
1399fb5d8462b5f926d6e6cb8a8c8c45
-
SHA1
19085454c69126ce3331511dc151e82197a080e1
-
SHA256
8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109
-
SHA512
0b05dfd9757301117a60f8a1274b096403855c0972dc76875cf4fd85ca9fa8e71f13e94881316957ab9e012ff2c4964f85d67984315bcfea6ed513ec24d19234
-
SSDEEP
1536:+uID0qMcxEUHPP5YpW7lqIM8gfD0DZk3h3ls3p2aeNz77LvuxxQr:fIDb+U5cW7lqplfD0DZ0Nvz77bqer
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1100 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exedescription pid process target process PID 1464 set thread context of 620 1464 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exepid process 620 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 620 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 620 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 620 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 620 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 620 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1392 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exepid process 620 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1392 1392 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1392 1392 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 1392 -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exedescription pid process target process PID 1464 wrote to memory of 620 1464 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe PID 1464 wrote to memory of 620 1464 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe PID 1464 wrote to memory of 620 1464 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe PID 1464 wrote to memory of 620 1464 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe PID 1464 wrote to memory of 620 1464 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe PID 1464 wrote to memory of 620 1464 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe PID 1464 wrote to memory of 620 1464 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe PID 1464 wrote to memory of 620 1464 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe PID 1464 wrote to memory of 620 1464 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe PID 620 wrote to memory of 1100 620 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe cmd.exe PID 620 wrote to memory of 1100 620 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe cmd.exe PID 620 wrote to memory of 1100 620 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe cmd.exe PID 620 wrote to memory of 1100 620 8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe"C:\Users\Admin\AppData\Local\Temp\8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe"C:\Users\Admin\AppData\Local\Temp\8008b8c86e1a66e75b28178ad388c30cefbaefdc5417ccbc789c2ce99c51b109.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp395fe386.bat"3⤵
- Deletes itself
PID:1100
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307B
MD5390262a7371a5e1f46e7f39a9a958267
SHA1d06c0beac1f7646448082a19e9eb150ed1f614a6
SHA256640e9e8a3346f26aa6b5594459803dc12a0c45bd64cbed7da98fc9a1b21a8f9c
SHA512dd2fede13ef0a94d2ae6aa3867b439a51a0ca33d4d27f06dfb7249edc386399d3d3791a411a82ed60884ab1e63288f3521d81d6210c00063174d23d836a6934c