Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-11-2022 07:59
General
-
Target
44478c730a9eb20469084cc7abdcb20c1a70ca948d55cee9f5056f96f746f835.exe
-
Size
288KB
-
MD5
54c32d7aabf7f8dcd6ed16cc8147fd12
-
SHA1
5c4c219891f88c94b36fce3e696fc3d9b1680e80
-
SHA256
44478c730a9eb20469084cc7abdcb20c1a70ca948d55cee9f5056f96f746f835
-
SHA512
c9f0ba812f0d2153c5f124d3bb2ab913fc775813db2c2acd86515f09d991c865d956e31512defeb93e0e6d514d8c92ed21668d88d355f68f6ca02172848fa44b
-
SSDEEP
6144:Gbu9uj8Pw2rZqabNzSPR4ZeY5VuiDjMsOxp6+vfUVMwT:Yu9oL2gONuJ4xDCxp6+vfm
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\44478c730a9eb20469084cc7abdcb20c1a70ca948d55cee9f5056f96f746f835.exe"C:\Users\Admin\AppData\Local\Temp\44478c730a9eb20469084cc7abdcb20c1a70ca948d55cee9f5056f96f746f835.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44478c730a9eb20469084cc7abdcb20c1a70ca948d55cee9f5056f96f746f835.exe"C:\Users\Admin\AppData\Local\Temp\44478c730a9eb20469084cc7abdcb20c1a70ca948d55cee9f5056f96f746f835.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Uxidok\tara.exe"C:\Users\Admin\AppData\Local\Temp\Uxidok\tara.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Uxidok\tara.exe"C:\Users\Admin\AppData\Local\Temp\Uxidok\tara.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NPYF173.bat"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\NPYF173.batFilesize
278B
MD5bb3fa7a5aec73f29277b574a4c21880c
SHA1678e1370d741c5cb97ee9549e2f7fdd2c04d606d
SHA25636ce3940e59b7b54a10775868bb02aaf20e0a060e5a3456deb8922193882966f
SHA512b57623ab637395a0e3addfa3a8b8c9c140dd818891bd8891b2a164189bffc7bb9ec36b429e7394e79b475a7f9db4e110428be7a6d98f541827bb1c162f73ebf4
-
C:\Users\Admin\AppData\Local\Temp\Uxidok\tara.exeFilesize
288KB
MD5f612bb367ca853721d1ca0a6434be7bc
SHA130e3c1bab728e0154dae2fc9e1a46e58582986e8
SHA256848178bf77cd7d7b791806317d8ad30256cb50bcf8a2348de435c8a3b6dd4148
SHA512915c5ad09c120f2d5aeaa443457ae729a7f97a4a6f63f74fe35d1e7ec2ff15307d5c5d80f07159e460afb3a1d5447442173ebb2b788590d5a653c67d600da1f6
-
C:\Users\Admin\AppData\Local\Temp\Uxidok\tara.exeFilesize
288KB
MD5f612bb367ca853721d1ca0a6434be7bc
SHA130e3c1bab728e0154dae2fc9e1a46e58582986e8
SHA256848178bf77cd7d7b791806317d8ad30256cb50bcf8a2348de435c8a3b6dd4148
SHA512915c5ad09c120f2d5aeaa443457ae729a7f97a4a6f63f74fe35d1e7ec2ff15307d5c5d80f07159e460afb3a1d5447442173ebb2b788590d5a653c67d600da1f6
-
C:\Users\Admin\AppData\Local\Temp\Uxidok\tara.exeFilesize
288KB
MD5f612bb367ca853721d1ca0a6434be7bc
SHA130e3c1bab728e0154dae2fc9e1a46e58582986e8
SHA256848178bf77cd7d7b791806317d8ad30256cb50bcf8a2348de435c8a3b6dd4148
SHA512915c5ad09c120f2d5aeaa443457ae729a7f97a4a6f63f74fe35d1e7ec2ff15307d5c5d80f07159e460afb3a1d5447442173ebb2b788590d5a653c67d600da1f6
-
memory/1684-156-0x0000000000E00000-0x0000000000E42000-memory.dmpFilesize
264KB
-
memory/1684-155-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1684-154-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1684-153-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1684-149-0x0000000000000000-mapping.dmp
-
memory/2204-139-0x0000000000000000-mapping.dmp
-
memory/2204-148-0x0000000001076000-0x0000000001079000-memory.dmpFilesize
12KB
-
memory/2204-142-0x0000000001076000-0x000000000107B000-memory.dmpFilesize
20KB
-
memory/2204-147-0x0000000074400000-0x00000000749B1000-memory.dmpFilesize
5.7MB
-
memory/2548-157-0x0000000074B40000-0x00000000750F1000-memory.dmpFilesize
5.7MB
-
memory/2548-135-0x0000000074B40000-0x00000000750F1000-memory.dmpFilesize
5.7MB
-
memory/3504-151-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3504-146-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3504-143-0x0000000000000000-mapping.dmp
-
memory/3504-145-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3504-158-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4852-150-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4852-138-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4852-137-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4852-136-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4852-133-0x0000000000000000-mapping.dmp
-
memory/4852-134-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB