Analysis
-
max time kernel
293s -
max time network
352s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 21:02
Behavioral task
behavioral1
Sample
3a0ea2d0ab5193399ad8885ef10b389b3696dfa9bab76e8ceaff0903ee75e978.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3a0ea2d0ab5193399ad8885ef10b389b3696dfa9bab76e8ceaff0903ee75e978.exe
Resource
win10v2004-20221111-en
General
-
Target
3a0ea2d0ab5193399ad8885ef10b389b3696dfa9bab76e8ceaff0903ee75e978.exe
-
Size
257KB
-
MD5
1619b3d34e908676731f2de7546ec033
-
SHA1
a19e47283bcabb8cf0271b1d1e01ca5ba132fb36
-
SHA256
3a0ea2d0ab5193399ad8885ef10b389b3696dfa9bab76e8ceaff0903ee75e978
-
SHA512
303998694eb77a597bff0b296956abbd6a4dc1225a60bd4765fb6b2abd592887ceef63694afd66949b229178e8e8cfbf1614165801dc97208d2f185b24eef7b8
-
SSDEEP
6144:Ceqf28K4yODF+llRfcpmPCA+UdY0VJyt+Z/oKiNbg5G9EanssOP:CeKzK43WKE6A+q7/yw2yGWanssOP
Malware Config
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4512-133-0x0000000000400000-0x00000000004A6000-memory.dmp MailPassView behavioral2/memory/4512-135-0x0000000000400000-0x00000000004A6000-memory.dmp MailPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4512-133-0x0000000000400000-0x00000000004A6000-memory.dmp Nirsoft behavioral2/memory/4512-135-0x0000000000400000-0x00000000004A6000-memory.dmp Nirsoft -
Processes:
resource yara_rule behavioral2/memory/4512-133-0x0000000000400000-0x00000000004A6000-memory.dmp upx behavioral2/memory/4512-135-0x0000000000400000-0x00000000004A6000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
3a0ea2d0ab5193399ad8885ef10b389b3696dfa9bab76e8ceaff0903ee75e978.exedescription ioc process File created C:\Windows\SysWOW64\owner.exe 3a0ea2d0ab5193399ad8885ef10b389b3696dfa9bab76e8ceaff0903ee75e978.exe -
Runs net.exe
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3a0ea2d0ab5193399ad8885ef10b389b3696dfa9bab76e8ceaff0903ee75e978.exenet.exedescription pid process target process PID 4512 wrote to memory of 2712 4512 3a0ea2d0ab5193399ad8885ef10b389b3696dfa9bab76e8ceaff0903ee75e978.exe net.exe PID 4512 wrote to memory of 2712 4512 3a0ea2d0ab5193399ad8885ef10b389b3696dfa9bab76e8ceaff0903ee75e978.exe net.exe PID 4512 wrote to memory of 2712 4512 3a0ea2d0ab5193399ad8885ef10b389b3696dfa9bab76e8ceaff0903ee75e978.exe net.exe PID 2712 wrote to memory of 3776 2712 net.exe net1.exe PID 2712 wrote to memory of 3776 2712 net.exe net1.exe PID 2712 wrote to memory of 3776 2712 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a0ea2d0ab5193399ad8885ef10b389b3696dfa9bab76e8ceaff0903ee75e978.exe"C:\Users\Admin\AppData\Local\Temp\3a0ea2d0ab5193399ad8885ef10b389b3696dfa9bab76e8ceaff0903ee75e978.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess3⤵