Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:01
Static task
static1
Behavioral task
behavioral1
Sample
ced5bf4f2b075f7d9c0411cf5194cf31747d7618a85cc4a794a624c766915e3e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ced5bf4f2b075f7d9c0411cf5194cf31747d7618a85cc4a794a624c766915e3e.exe
Resource
win10v2004-20221111-en
General
-
Target
ced5bf4f2b075f7d9c0411cf5194cf31747d7618a85cc4a794a624c766915e3e.exe
-
Size
372KB
-
MD5
deb099b243b0700e8f230727eddd93a1
-
SHA1
e9213d1fe1593a1b13d3f360676fd7487a97aec4
-
SHA256
ced5bf4f2b075f7d9c0411cf5194cf31747d7618a85cc4a794a624c766915e3e
-
SHA512
9267ee0cf13dd21720863b52c854e43a4cb19343a5543301c7a94bd08db285c3ef43029e6c474fff39e11391534da6dbd9d42a2d657aa4a302b5cab5ca03731b
-
SSDEEP
6144:K/npA1BQ9DJZfca9HqCl6giRnGSSFDJK0zI04:GnpaODJZfcaxqAiRj0cZ
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\~GM7AA3.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\~GM7AA3.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
~GM7AA3.exepid process 3708 ~GM7AA3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ced5bf4f2b075f7d9c0411cf5194cf31747d7618a85cc4a794a624c766915e3e.exedescription pid process Token: SeDebugPrivilege 4860 ced5bf4f2b075f7d9c0411cf5194cf31747d7618a85cc4a794a624c766915e3e.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
~GM7AA3.exepid process 3708 ~GM7AA3.exe 3708 ~GM7AA3.exe 3708 ~GM7AA3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ced5bf4f2b075f7d9c0411cf5194cf31747d7618a85cc4a794a624c766915e3e.exedescription pid process target process PID 4860 wrote to memory of 3708 4860 ced5bf4f2b075f7d9c0411cf5194cf31747d7618a85cc4a794a624c766915e3e.exe ~GM7AA3.exe PID 4860 wrote to memory of 3708 4860 ced5bf4f2b075f7d9c0411cf5194cf31747d7618a85cc4a794a624c766915e3e.exe ~GM7AA3.exe PID 4860 wrote to memory of 3708 4860 ced5bf4f2b075f7d9c0411cf5194cf31747d7618a85cc4a794a624c766915e3e.exe ~GM7AA3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ced5bf4f2b075f7d9c0411cf5194cf31747d7618a85cc4a794a624c766915e3e.exe"C:\Users\Admin\AppData\Local\Temp\ced5bf4f2b075f7d9c0411cf5194cf31747d7618a85cc4a794a624c766915e3e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~GM7AA3.exe"C:\Users\Admin\AppData\Local\Temp\~GM7AA3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~GM7AA3.exeFilesize
66KB
MD5f7238e42746b458f5ab7250f164d3b85
SHA19e902ca4dfd3019fe22285d180dd1d0077f9aea3
SHA2568ca44518ff00f55ac00b7d7e32d9b5a5c27a6b85c660ee4e651e4d4c20a9de3a
SHA51221c17aff470477f3168285ac2160f75092998c5b99b89f07ddcf56e8a0312dcb565c7e90f7a7a0195bd443860b24ddc2789601af3d203f1428c38113462bf5db
-
C:\Users\Admin\AppData\Local\Temp\~GM7AA3.exeFilesize
66KB
MD5f7238e42746b458f5ab7250f164d3b85
SHA19e902ca4dfd3019fe22285d180dd1d0077f9aea3
SHA2568ca44518ff00f55ac00b7d7e32d9b5a5c27a6b85c660ee4e651e4d4c20a9de3a
SHA51221c17aff470477f3168285ac2160f75092998c5b99b89f07ddcf56e8a0312dcb565c7e90f7a7a0195bd443860b24ddc2789601af3d203f1428c38113462bf5db
-
memory/3708-132-0x0000000000000000-mapping.dmp
-
memory/3708-138-0x0000000001240000-0x000000000126B000-memory.dmpFilesize
172KB