Analysis
-
max time kernel
146s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 19:38
Static task
static1
Behavioral task
behavioral1
Sample
a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe
Resource
win10v2004-20221111-en
General
-
Target
a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe
-
Size
252KB
-
MD5
5721e26a193359ca859dbf51aebdb3c7
-
SHA1
8bc8c529bc3f781f1d6fff28f0062c7c17968794
-
SHA256
a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25
-
SHA512
7c4fd748ac618d15c072f037cea47260cd596a9acb1068300157e17db8f55c92ed4ae84fa4412d71d1d7a626861aa42a4cca34893a74ca3b4d96a9845fc1faf9
-
SSDEEP
3072:61DrUriSnqUCzxJscmBd1sftLhoT38QFVkwNz3e8jQ6bF0FQKYzRBjvqo3JouUaw:61PUHqUCL4MhkVpRugrzRBjSo5vTWr
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\services.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\services.exe cmd.exe File opened for modification C:\Windows\services.exe cmd.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exepid process 1464 a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe 1464 a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.execmd.exedescription pid process target process PID 1464 wrote to memory of 900 1464 a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe cmd.exe PID 1464 wrote to memory of 900 1464 a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe cmd.exe PID 1464 wrote to memory of 900 1464 a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe cmd.exe PID 1464 wrote to memory of 900 1464 a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe cmd.exe PID 900 wrote to memory of 580 900 cmd.exe reg.exe PID 900 wrote to memory of 580 900 cmd.exe reg.exe PID 900 wrote to memory of 580 900 cmd.exe reg.exe PID 900 wrote to memory of 580 900 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe"C:\Users\Admin\AppData\Local\Temp\a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\pocho.bat2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winlogon /t REG_SZ /d "C:\Windows\services.exe" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\pocho.batFilesize
264B
MD508f6a689831634d2df4d523156e4a2f0
SHA19e3a3d972485010545f17f10b4ebb94459796778
SHA2564c6bd5c36bb6b067f31da11c290e39d217dd9696a72092d618702592ef5a4701
SHA512673f55fb67c3f8c035706cf17abac748b0b665762bee8ad08169a64656a98088b37de998b6d1bd98004f6bd7625c5ac4804f94367be6e0caaeb736bd1b826a5b
-
memory/580-60-0x0000000000000000-mapping.dmp
-
memory/900-58-0x0000000000000000-mapping.dmp
-
memory/1464-57-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB