Analysis
-
max time kernel
33s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 18:52
Behavioral task
behavioral1
Sample
a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe
Resource
win10v2004-20221111-en
General
-
Target
a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe
-
Size
1.9MB
-
MD5
a5bcf3cf4809d57bcf38d99b205272c2
-
SHA1
e32c158f2f974be675793900a64054ff229b5423
-
SHA256
a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7
-
SHA512
5cad7bfdd1fb47f3f2f7e974bfcc028a14d149fa176c2327c3146442c044752aba5c6b348642c460ffa2772db5900bdf2c11d49bb5fd8a16d4201745d6c199c5
-
SSDEEP
49152:MawZsUUeD9jFldRSXgFzD6LSDS2wV4M/1pvCupGnOn:MnnUeDtSQFzD6LS2dVbtpvCROn
Malware Config
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1312 ipconfig.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exepid process 1380 a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe 1380 a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exepid process 1380 a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe 1380 a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exepid process 1380 a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe 1380 a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exedescription pid process target process PID 1380 wrote to memory of 1312 1380 a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe ipconfig.exe PID 1380 wrote to memory of 1312 1380 a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe ipconfig.exe PID 1380 wrote to memory of 1312 1380 a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe ipconfig.exe PID 1380 wrote to memory of 1312 1380 a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe"C:\Users\Admin\AppData\Local\Temp\a8e119a9df50be08674575d0004dfd1dd92d1ff4269d4e3ab1be2acdc1ad14a7.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:1312
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1312-59-0x0000000000000000-mapping.dmp
-
memory/1380-54-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB
-
memory/1380-55-0x0000000000400000-0x00000000008EC000-memory.dmpFilesize
4.9MB
-
memory/1380-56-0x0000000000400000-0x00000000008EC000-memory.dmpFilesize
4.9MB
-
memory/1380-57-0x0000000000400000-0x00000000008EC000-memory.dmpFilesize
4.9MB
-
memory/1380-58-0x0000000000400000-0x00000000008EC000-memory.dmpFilesize
4.9MB
-
memory/1380-61-0x0000000000400000-0x00000000008EC000-memory.dmpFilesize
4.9MB