Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:57
Static task
static1
Behavioral task
behavioral1
Sample
c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe
Resource
win10v2004-20220901-en
General
-
Target
c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe
-
Size
550KB
-
MD5
23b88801e2cfc16f67b62ea13d936411
-
SHA1
68bed86fdbb651a58608d08b72ac8f99776ab1aa
-
SHA256
c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76
-
SHA512
272add9f20b6c8156f166d0e4600d6ba1a9712b3dade0192569b6a71a8e15fd1d0305dacb011dd8d74dfc49f1b129ad54ae6b0105877090ace188334b3475a56
-
SSDEEP
12288:znGK8Ftodx+4m0I7ecniVFPW38QxTIgiIHWx8tluJPB:zGK8s+4hI7esi7PW3Sg5WxSluJP
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
Ujuboyos101
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exedescription pid process target process PID 4864 set thread context of 1672 4864 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exec79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exedw20.exedescription pid process Token: SeDebugPrivilege 4864 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe Token: SeDebugPrivilege 1672 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe Token: SeRestorePrivilege 2652 dw20.exe Token: SeBackupPrivilege 2652 dw20.exe Token: SeBackupPrivilege 2652 dw20.exe Token: SeBackupPrivilege 2652 dw20.exe Token: SeBackupPrivilege 2652 dw20.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exepid process 1672 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exec79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exedescription pid process target process PID 4864 wrote to memory of 1672 4864 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe PID 4864 wrote to memory of 1672 4864 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe PID 4864 wrote to memory of 1672 4864 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe PID 4864 wrote to memory of 1672 4864 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe PID 4864 wrote to memory of 1672 4864 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe PID 4864 wrote to memory of 1672 4864 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe PID 4864 wrote to memory of 1672 4864 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe PID 4864 wrote to memory of 1672 4864 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe PID 1672 wrote to memory of 2652 1672 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe dw20.exe PID 1672 wrote to memory of 2652 1672 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe dw20.exe PID 1672 wrote to memory of 2652 1672 c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe"C:\Users\Admin\AppData\Local\Temp\c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe"C:\Users\Admin\AppData\Local\Temp\c79cadafae0170671029f96a7dde6afb098c4fd1e2757b5ea4ffb1212b27ba76.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 20923⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1672-134-0x0000000000000000-mapping.dmp
-
memory/1672-135-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1672-137-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/1672-139-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/2652-138-0x0000000000000000-mapping.dmp
-
memory/4864-132-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/4864-133-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/4864-136-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB