Analysis
-
max time kernel
236s -
max time network
246s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 16:54
Static task
static1
Behavioral task
behavioral1
Sample
acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
Resource
win10v2004-20221111-en
General
-
Target
acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
-
Size
3.2MB
-
MD5
6bb28c1ea5194274574f29ec16674869
-
SHA1
9b9c02da15253ac93ecf11eabcacb316ac7e84d5
-
SHA256
acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987
-
SHA512
babe19b849fb15284be47b26582285a0bac4d1e6ae328827b4f918a9958a6f15c64fb0dc4088674d43d5b911d3977c0bf2b592ebef0efb1a6599881655f8c3ec
-
SSDEEP
49152:RVg5tQ7aIIr56/G2WxsGkcq6guq7T5mVNNofLVXNQ2i3GEHxrf1o:fg56DuVkcJguqAVNefLVXNOR2
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Defender = "\"C:\\Users\\Admin\\AppData\\Local\\adminControle.exe\"" acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\ acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Defender = "\"C:\\Users\\Admin\\AppData\\Local\\adminControle.exe\"" acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exedescription pid process target process PID 4376 set thread context of 3516 4376 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exepid process 3516 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exepid process 4376 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe 4376 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe 4376 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exepid process 4376 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe 4376 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe 4376 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exedescription pid process target process PID 4376 wrote to memory of 3516 4376 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe PID 4376 wrote to memory of 3516 4376 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe PID 4376 wrote to memory of 3516 4376 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe PID 4376 wrote to memory of 3516 4376 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe PID 4376 wrote to memory of 3516 4376 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe"C:\Users\Admin\AppData\Local\Temp\acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe"C:\Users\Admin\AppData\Local\Temp\acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:3516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3516-132-0x0000000000000000-mapping.dmp
-
memory/3516-133-0x0000000001000000-0x0000000001268000-memory.dmpFilesize
2.4MB
-
memory/3516-134-0x0000000001000000-0x0000000001268000-memory.dmpFilesize
2.4MB
-
memory/3516-135-0x0000000001000000-0x0000000001268000-memory.dmpFilesize
2.4MB
-
memory/3516-136-0x0000000001000000-0x0000000001268000-memory.dmpFilesize
2.4MB
-
memory/3516-137-0x0000000001000000-0x0000000001268000-memory.dmpFilesize
2.4MB