Analysis
-
max time kernel
93s -
max time network
108s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 21:10
Behavioral task
behavioral1
Sample
0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe
Resource
win10v2004-20220812-en
General
-
Target
0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe
-
Size
3.8MB
-
MD5
5ce7b7a93421ccc26bd3324805e2e9db
-
SHA1
e8e302d73c1df162da2928eb1261e0fdceda53c3
-
SHA256
0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58
-
SHA512
804bc74fe9878364a6fbb56492de5478ef4f08eee3e17605826048c1cb688eac855e0474f4dba858769eca68a871e9d3cdadf6208518687583a36a4f4273f42f
-
SSDEEP
98304:j+pw0mZ2aunm0EIRgaR90tDhOYCnN9/nK5KGs1k:j+8Z2Bm0BPutDZui
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/944-55-0x00000000010F0000-0x0000000001927000-memory.dmp vmprotect behavioral1/memory/944-56-0x00000000010F0000-0x0000000001927000-memory.dmp vmprotect behavioral1/memory/944-58-0x00000000010F0000-0x0000000001927000-memory.dmp vmprotect behavioral1/memory/944-59-0x00000000010F0000-0x0000000001927000-memory.dmp vmprotect behavioral1/memory/944-73-0x00000000010F0000-0x0000000001927000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exepid process 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 736 ipconfig.exe 856 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exepid process 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exepid process 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.execmd.execmd.exedescription pid process target process PID 944 wrote to memory of 468 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe cmd.exe PID 944 wrote to memory of 468 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe cmd.exe PID 944 wrote to memory of 468 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe cmd.exe PID 944 wrote to memory of 468 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe cmd.exe PID 944 wrote to memory of 1780 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe cmd.exe PID 944 wrote to memory of 1780 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe cmd.exe PID 944 wrote to memory of 1780 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe cmd.exe PID 944 wrote to memory of 1780 944 0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe cmd.exe PID 468 wrote to memory of 1360 468 cmd.exe cmd.exe PID 468 wrote to memory of 1360 468 cmd.exe cmd.exe PID 468 wrote to memory of 1360 468 cmd.exe cmd.exe PID 468 wrote to memory of 1360 468 cmd.exe cmd.exe PID 1780 wrote to memory of 1696 1780 cmd.exe cmd.exe PID 1780 wrote to memory of 1696 1780 cmd.exe cmd.exe PID 1780 wrote to memory of 1696 1780 cmd.exe cmd.exe PID 1780 wrote to memory of 1696 1780 cmd.exe cmd.exe PID 468 wrote to memory of 556 468 cmd.exe cacls.exe PID 468 wrote to memory of 556 468 cmd.exe cacls.exe PID 468 wrote to memory of 556 468 cmd.exe cacls.exe PID 468 wrote to memory of 556 468 cmd.exe cacls.exe PID 1780 wrote to memory of 1500 1780 cmd.exe cacls.exe PID 1780 wrote to memory of 1500 1780 cmd.exe cacls.exe PID 1780 wrote to memory of 1500 1780 cmd.exe cacls.exe PID 1780 wrote to memory of 1500 1780 cmd.exe cacls.exe PID 1780 wrote to memory of 1020 1780 cmd.exe attrib.exe PID 1780 wrote to memory of 1020 1780 cmd.exe attrib.exe PID 1780 wrote to memory of 1020 1780 cmd.exe attrib.exe PID 1780 wrote to memory of 1020 1780 cmd.exe attrib.exe PID 468 wrote to memory of 392 468 cmd.exe attrib.exe PID 468 wrote to memory of 392 468 cmd.exe attrib.exe PID 468 wrote to memory of 392 468 cmd.exe attrib.exe PID 468 wrote to memory of 392 468 cmd.exe attrib.exe PID 1780 wrote to memory of 736 1780 cmd.exe ipconfig.exe PID 1780 wrote to memory of 736 1780 cmd.exe ipconfig.exe PID 1780 wrote to memory of 736 1780 cmd.exe ipconfig.exe PID 1780 wrote to memory of 736 1780 cmd.exe ipconfig.exe PID 468 wrote to memory of 856 468 cmd.exe ipconfig.exe PID 468 wrote to memory of 856 468 cmd.exe ipconfig.exe PID 468 wrote to memory of 856 468 cmd.exe ipconfig.exe PID 468 wrote to memory of 856 468 cmd.exe ipconfig.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 392 attrib.exe 1020 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe"C:\Users\Admin\AppData\Local\Temp\0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ECHO y|cacls %windir%\System32\drivers\etc\hosts /g everyone:f & attrib /s /d -s -h %windir%\System32\drivers\etc\hosts & move hosts %windir%\System32\drivers\etc\ & ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO y"3⤵PID:1360
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\drivers\etc\hosts /g everyone:f3⤵PID:556
-
-
C:\Windows\SysWOW64\attrib.exeattrib /s /d -s -h C:\Windows\System32\drivers\etc\hosts3⤵
- Views/modifies file attributes
PID:392
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:856
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ECHO y|cacls %windir%\System32\drivers\etc\hosts /g everyone:f & attrib /s /d -s -h %windir%\System32\drivers\etc\hosts & move hosts %windir%\System32\drivers\etc\ & ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO y"3⤵PID:1696
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\drivers\etc\hosts /g everyone:f3⤵PID:1500
-
-
C:\Windows\SysWOW64\attrib.exeattrib /s /d -s -h C:\Windows\System32\drivers\etc\hosts3⤵
- Views/modifies file attributes
PID:1020
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:736
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
824B
MD53688374325b992def12793500307566d
SHA14bed0823746a2a8577ab08ac8711b79770e48274
SHA2562d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085
SHA51259119e66f5945029f8652c5981589d95cace534adc6780ccea736b7e776615caa0b567c14d161271d6066f57d9bab0d4055850162f5a046c0456264b7b9e7508