Analysis
-
max time kernel
192s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 07:32
Static task
static1
Behavioral task
behavioral1
Sample
1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exe
Resource
win10v2004-20220812-en
General
-
Target
1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exe
-
Size
216KB
-
MD5
18da21337a68b2edf0abedc4a6cb6b0c
-
SHA1
a42a59f6a2a778ece6cdf55d58ba58243e06a57c
-
SHA256
1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626
-
SHA512
60ad568cf5dcf02fc612972d1ff1836af924815c7be7ef106b4d565d81326fb3565ba7fa4e98016385a1f093c4b1a84fae0d4a44b84fcee92c29425dfe435487
-
SSDEEP
3072:rawhW9eOEtiOOrKOoVfyAvs56z/fBTZ+J/h/GfJYO/SB+NvXY7JMW:rq/BpZooAkYfRZ+J/UR/HvXY
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3224346.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*22434 = "C:\\3224346\\3224346.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3224346 = "C:\\Users\\Admin\\AppData\\Roaming\\3224346.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*224346 = "C:\\Users\\Admin\\AppData\\Roaming\\3224346.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\322434 = "C:\\3224346\\3224346.exe" explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exeexplorer.exepid process 4908 1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exe 2200 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exeexplorer.exedescription pid process target process PID 4908 wrote to memory of 2200 4908 1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exe explorer.exe PID 4908 wrote to memory of 2200 4908 1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exe explorer.exe PID 4908 wrote to memory of 2200 4908 1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exe explorer.exe PID 2200 wrote to memory of 4508 2200 explorer.exe svchost.exe PID 2200 wrote to memory of 4508 2200 explorer.exe svchost.exe PID 2200 wrote to memory of 4508 2200 explorer.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exe"C:\Users\Admin\AppData\Local\Temp\1a0b133f8d511e0a78ace8b21056f164199c9e502c6f9013f779a8c2584a2626.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\svchost.exe-k netsvcs3⤵PID:4508
-
-