Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 12:39
Static task
static1
Behavioral task
behavioral1
Sample
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
Resource
win10v2004-20220812-en
General
-
Target
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
-
Size
122KB
-
MD5
f5fca738eeb91bd105322677162325a9
-
SHA1
8872b7fe0bd05e390ee70fb2f4c74c875ad07e4a
-
SHA256
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814
-
SHA512
e8d2ecb37b95b813a3ba368e3706199751c74851e8fec5a3f3cd89ea4b5bb7de4619614af05438bbdd7f0237804d3dfd62df8e9290ade4c6b3f1b331052031dd
-
SSDEEP
3072:WLD+1ReXDsoUfWBeDhzgzz5MYh/6srzGRLH:WLD1DsoUfceDhzgzJ/6sK
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-52849205209409204980245\winmgr.exe = "C:\\Users\\Admin\\M-52849205209409204980245\\winmgr.exe:*:Enabled:Microsoft Windows Manager" 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe -
Executes dropped EXE 2 IoCs
Processes:
winmgr.exewinmgr.exepid process 1736 winmgr.exe 1492 winmgr.exe -
Loads dropped DLL 1 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exepid process 1824 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Users\\Admin\\M-52849205209409204980245\\winmgr.exe" 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exewinmgr.exedescription pid process target process PID 2012 set thread context of 1824 2012 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe PID 1736 set thread context of 1492 1736 winmgr.exe winmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exewinmgr.exepid process 2012 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 1736 winmgr.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exewinmgr.exepid process 2012 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 2012 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 1736 winmgr.exe 1736 winmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exewinmgr.exedescription pid process target process PID 2012 wrote to memory of 1824 2012 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe PID 2012 wrote to memory of 1824 2012 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe PID 2012 wrote to memory of 1824 2012 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe PID 2012 wrote to memory of 1824 2012 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe PID 1824 wrote to memory of 1736 1824 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe winmgr.exe PID 1824 wrote to memory of 1736 1824 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe winmgr.exe PID 1824 wrote to memory of 1736 1824 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe winmgr.exe PID 1824 wrote to memory of 1736 1824 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe winmgr.exe PID 1736 wrote to memory of 1492 1736 winmgr.exe winmgr.exe PID 1736 wrote to memory of 1492 1736 winmgr.exe winmgr.exe PID 1736 wrote to memory of 1492 1736 winmgr.exe winmgr.exe PID 1736 wrote to memory of 1492 1736 winmgr.exe winmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe"C:\Users\Admin\AppData\Local\Temp\2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe"C:\Users\Admin\AppData\Local\Temp\2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe"2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\M-52849205209409204980245\winmgr.exeC:\Users\Admin\M-52849205209409204980245\winmgr.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\M-52849205209409204980245\winmgr.exeC:\Users\Admin\M-52849205209409204980245\winmgr.exe4⤵
- Executes dropped EXE
PID:1492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\M-52849205209409204980245\winmgr.exeFilesize
122KB
MD5f5fca738eeb91bd105322677162325a9
SHA18872b7fe0bd05e390ee70fb2f4c74c875ad07e4a
SHA2562811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814
SHA512e8d2ecb37b95b813a3ba368e3706199751c74851e8fec5a3f3cd89ea4b5bb7de4619614af05438bbdd7f0237804d3dfd62df8e9290ade4c6b3f1b331052031dd
-
C:\Users\Admin\M-52849205209409204980245\winmgr.exeFilesize
122KB
MD5f5fca738eeb91bd105322677162325a9
SHA18872b7fe0bd05e390ee70fb2f4c74c875ad07e4a
SHA2562811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814
SHA512e8d2ecb37b95b813a3ba368e3706199751c74851e8fec5a3f3cd89ea4b5bb7de4619614af05438bbdd7f0237804d3dfd62df8e9290ade4c6b3f1b331052031dd
-
\Users\Admin\M-52849205209409204980245\winmgr.exeFilesize
122KB
MD5f5fca738eeb91bd105322677162325a9
SHA18872b7fe0bd05e390ee70fb2f4c74c875ad07e4a
SHA2562811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814
SHA512e8d2ecb37b95b813a3ba368e3706199751c74851e8fec5a3f3cd89ea4b5bb7de4619614af05438bbdd7f0237804d3dfd62df8e9290ade4c6b3f1b331052031dd
-
memory/1492-62-0x0000000000403900-mapping.dmp
-
memory/1736-59-0x0000000000000000-mapping.dmp
-
memory/1824-55-0x0000000000403900-mapping.dmp
-
memory/1824-57-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2012-54-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB