Analysis
-
max time kernel
152s -
max time network
108s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe
Resource
win10v2004-20221111-en
General
-
Target
60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe
-
Size
724KB
-
MD5
c147ba02443132bcacfc2ba4ffc9af3a
-
SHA1
8dbde866273a66ebe9670d6fb6f6a7eaa0405d62
-
SHA256
60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0
-
SHA512
a41e1ccb47e22269dbd91d6a0637280a62031f915192015cc8a44836b11444000315d88f4197f861a7d6a6c064295202dda05cdb38b83fe01160ee8271d1f116
-
SSDEEP
12288:aNIQAPGsAqY9IMVYd38sJdpQHlGlY8KfT4F4+CpENqTScb++ycb/l9TXQCrv:HPGSY91VwNJcFMqTePNqT7ZycbdVXlrv
Malware Config
Signatures
-
Processes:
Charles.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Charles.exe -
Executes dropped EXE 1 IoCs
Processes:
Charles.exepid process 1116 Charles.exe -
Loads dropped DLL 4 IoCs
Processes:
60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exeCharles.exepid process 1276 60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Charles.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run Charles.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Charles = "\"C:\\Users\\Admin\\AppData\\Roaming\\Charles.exe\"" Charles.exe -
Processes:
Charles.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Charles.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Charles.exepid process 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe 1116 Charles.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exeCharles.exepid process 1276 60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe 1276 60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe 1116 Charles.exe 1116 Charles.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exeCharles.exedescription pid process target process PID 1276 wrote to memory of 1116 1276 60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe Charles.exe PID 1276 wrote to memory of 1116 1276 60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe Charles.exe PID 1276 wrote to memory of 1116 1276 60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe Charles.exe PID 1276 wrote to memory of 1116 1276 60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe Charles.exe PID 1276 wrote to memory of 1116 1276 60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe Charles.exe PID 1276 wrote to memory of 1116 1276 60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe Charles.exe PID 1276 wrote to memory of 1116 1276 60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe Charles.exe PID 1116 wrote to memory of 1000 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1000 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1000 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1000 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1000 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1000 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1000 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1924 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1924 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1924 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1924 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1924 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1924 1116 Charles.exe schtasks.exe PID 1116 wrote to memory of 1924 1116 Charles.exe schtasks.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
Charles.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Charles.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Charles.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe"C:\Users\Admin\AppData\Local\Temp\60111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Roaming\Charles.exeC:\Users\Admin\AppData\Roaming\Charles.exe2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1116 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN GoogleUpdateTaskMachineCore /F3⤵PID:1000
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN GoogleUpdateTaskMachineUA /F3⤵PID:1924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Charles.exeFilesize
724KB
MD5c147ba02443132bcacfc2ba4ffc9af3a
SHA18dbde866273a66ebe9670d6fb6f6a7eaa0405d62
SHA25660111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0
SHA512a41e1ccb47e22269dbd91d6a0637280a62031f915192015cc8a44836b11444000315d88f4197f861a7d6a6c064295202dda05cdb38b83fe01160ee8271d1f116
-
C:\Users\Admin\AppData\Roaming\Charles.exeFilesize
724KB
MD5c147ba02443132bcacfc2ba4ffc9af3a
SHA18dbde866273a66ebe9670d6fb6f6a7eaa0405d62
SHA25660111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0
SHA512a41e1ccb47e22269dbd91d6a0637280a62031f915192015cc8a44836b11444000315d88f4197f861a7d6a6c064295202dda05cdb38b83fe01160ee8271d1f116
-
\Users\Admin\AppData\Roaming\Charles.exeFilesize
724KB
MD5c147ba02443132bcacfc2ba4ffc9af3a
SHA18dbde866273a66ebe9670d6fb6f6a7eaa0405d62
SHA25660111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0
SHA512a41e1ccb47e22269dbd91d6a0637280a62031f915192015cc8a44836b11444000315d88f4197f861a7d6a6c064295202dda05cdb38b83fe01160ee8271d1f116
-
\Users\Admin\AppData\Roaming\Charles.exeFilesize
724KB
MD5c147ba02443132bcacfc2ba4ffc9af3a
SHA18dbde866273a66ebe9670d6fb6f6a7eaa0405d62
SHA25660111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0
SHA512a41e1ccb47e22269dbd91d6a0637280a62031f915192015cc8a44836b11444000315d88f4197f861a7d6a6c064295202dda05cdb38b83fe01160ee8271d1f116
-
\Users\Admin\AppData\Roaming\Charles.exeFilesize
724KB
MD5c147ba02443132bcacfc2ba4ffc9af3a
SHA18dbde866273a66ebe9670d6fb6f6a7eaa0405d62
SHA25660111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0
SHA512a41e1ccb47e22269dbd91d6a0637280a62031f915192015cc8a44836b11444000315d88f4197f861a7d6a6c064295202dda05cdb38b83fe01160ee8271d1f116
-
\Users\Admin\AppData\Roaming\Charles.exeFilesize
724KB
MD5c147ba02443132bcacfc2ba4ffc9af3a
SHA18dbde866273a66ebe9670d6fb6f6a7eaa0405d62
SHA25660111203bea5231ae089cde35cb1da64af8df3a57b9893f0c6b3f1517d6b1da0
SHA512a41e1ccb47e22269dbd91d6a0637280a62031f915192015cc8a44836b11444000315d88f4197f861a7d6a6c064295202dda05cdb38b83fe01160ee8271d1f116
-
memory/1000-63-0x0000000000000000-mapping.dmp
-
memory/1116-56-0x0000000000000000-mapping.dmp
-
memory/1276-54-0x0000000076381000-0x0000000076383000-memory.dmpFilesize
8KB
-
memory/1924-64-0x0000000000000000-mapping.dmp