Analysis
-
max time kernel
164s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 16:50
Static task
static1
Behavioral task
behavioral1
Sample
1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe
Resource
win10v2004-20221111-en
General
-
Target
1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe
-
Size
258KB
-
MD5
d97d7777cc2dbf94761a741f98562ce1
-
SHA1
f142ed9523eb296f616b15434a72998c22048357
-
SHA256
1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61
-
SHA512
7a927eaaaf679c26981b9d7190000641a49d11395a2f57c23315a3e12fadc086fad2d67714ac19864eebc3ccbe00fb757432a16cc8e196e435c82de88da4d2eb
-
SSDEEP
3072:awtEktkLPAy4SgHkDD3F+s0lBDN3CgxgjGPOWvn2AYd1IyzSF2f:ttqapHt/J3hxgjmjsDzSof
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/888-58-0x0000000000400000-0x0000000000429000-memory.dmp cryptone behavioral1/memory/888-60-0x0000000000400000-0x0000000000429000-memory.dmp cryptone behavioral1/memory/888-63-0x0000000000400000-0x0000000000429000-memory.dmp cryptone behavioral1/memory/888-61-0x0000000000400000-0x0000000000429000-memory.dmp cryptone behavioral1/memory/888-64-0x0000000000400000-0x0000000000429000-memory.dmp cryptone behavioral1/memory/888-82-0x0000000000400000-0x0000000000429000-memory.dmp cryptone behavioral1/memory/1004-85-0x00000000000E0000-0x0000000000109000-memory.dmp cryptone behavioral1/memory/1004-84-0x00000000000E0000-0x0000000000109000-memory.dmp cryptone behavioral1/memory/1004-87-0x00000000000E0000-0x0000000000109000-memory.dmp cryptone behavioral1/memory/2032-83-0x0000000000080000-0x00000000000A9000-memory.dmp cryptone behavioral1/memory/888-101-0x0000000000400000-0x0000000000429000-memory.dmp cryptone behavioral1/memory/2032-240-0x0000000000080000-0x00000000000A9000-memory.dmp cryptone -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exemspaint.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe System Incorporated = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\Reader_sl.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kdkskc = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Kdkskc.exe" mspaint.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exemspaint.exedescription ioc process File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\D: mspaint.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\K: svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exedescription pid process target process PID 904 set thread context of 888 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 888 set thread context of 1744 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exesvchost.exe1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exepid process 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 2032 svchost.exe 1744 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exepid process 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exesvchost.execalc.exemspaint.exedescription pid process Token: SeDebugPrivilege 1744 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe Token: SeDebugPrivilege 2032 svchost.exe Token: SeDebugPrivilege 2036 calc.exe Token: SeDebugPrivilege 1004 mspaint.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exesvchost.exe1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exedescription pid process target process PID 904 wrote to memory of 888 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 904 wrote to memory of 888 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 904 wrote to memory of 888 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 904 wrote to memory of 888 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 904 wrote to memory of 888 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 904 wrote to memory of 888 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 904 wrote to memory of 888 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 904 wrote to memory of 888 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 904 wrote to memory of 888 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 904 wrote to memory of 888 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 904 wrote to memory of 888 904 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 888 wrote to memory of 2032 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe svchost.exe PID 888 wrote to memory of 2032 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe svchost.exe PID 888 wrote to memory of 2032 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe svchost.exe PID 888 wrote to memory of 2032 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe svchost.exe PID 888 wrote to memory of 2032 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe svchost.exe PID 888 wrote to memory of 2036 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe calc.exe PID 888 wrote to memory of 2036 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe calc.exe PID 888 wrote to memory of 2036 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe calc.exe PID 888 wrote to memory of 2036 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe calc.exe PID 888 wrote to memory of 2036 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe calc.exe PID 888 wrote to memory of 2036 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe calc.exe PID 2032 wrote to memory of 1004 2032 svchost.exe mspaint.exe PID 2032 wrote to memory of 1004 2032 svchost.exe mspaint.exe PID 2032 wrote to memory of 1004 2032 svchost.exe mspaint.exe PID 2032 wrote to memory of 1004 2032 svchost.exe mspaint.exe PID 2032 wrote to memory of 1004 2032 svchost.exe mspaint.exe PID 888 wrote to memory of 1744 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 888 wrote to memory of 1744 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 888 wrote to memory of 1744 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 888 wrote to memory of 1744 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 888 wrote to memory of 1744 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 888 wrote to memory of 1744 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 888 wrote to memory of 1744 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 888 wrote to memory of 1744 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 888 wrote to memory of 1744 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 888 wrote to memory of 1744 888 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe PID 1744 wrote to memory of 2032 1744 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe svchost.exe PID 1744 wrote to memory of 2032 1744 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe svchost.exe PID 1744 wrote to memory of 2036 1744 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe calc.exe PID 1744 wrote to memory of 2036 1744 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe calc.exe PID 1744 wrote to memory of 1004 1744 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe mspaint.exe PID 1744 wrote to memory of 1004 1744 1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe mspaint.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe"C:\Users\Admin\AppData\Local\Temp\1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe"C:\Users\Admin\AppData\Local\Temp\1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"3⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\SysWOW64\mspaint.exe"4⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\SysWOW64\calc.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe"C:\Users\Admin\AppData\Local\Temp\1aaee3caabfceecbd5c25caa4a1c3d5d7517f0b5b252d2e59367d1aadb400f61.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/888-82-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/888-55-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/888-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/888-58-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/888-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/888-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/888-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/888-64-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/888-65-0x0000000000404BF0-mapping.dmp
-
memory/888-101-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/904-66-0x00000000003D0000-0x00000000003EA000-memory.dmpFilesize
104KB
-
memory/904-54-0x0000000075021000-0x0000000075023000-memory.dmpFilesize
8KB
-
memory/1004-85-0x00000000000E0000-0x0000000000109000-memory.dmpFilesize
164KB
-
memory/1004-340-0x0000000000240000-0x000000000028E000-memory.dmpFilesize
312KB
-
memory/1004-81-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/1004-137-0x0000000000240000-0x000000000028E000-memory.dmpFilesize
312KB
-
memory/1004-105-0x00000000000E0000-0x0000000000109000-memory.dmpFilesize
164KB
-
memory/1004-84-0x00000000000E0000-0x0000000000109000-memory.dmpFilesize
164KB
-
memory/1004-87-0x00000000000E0000-0x0000000000109000-memory.dmpFilesize
164KB
-
memory/1004-122-0x0000000000240000-0x000000000028E000-memory.dmpFilesize
312KB
-
memory/1004-88-0x00000000000E0000-0x0000000000109000-memory.dmpFilesize
164KB
-
memory/1004-79-0x0000000000000000-mapping.dmp
-
memory/1744-89-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1744-126-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1744-92-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1744-94-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1744-96-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1744-98-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1744-99-0x0000000000410910-mapping.dmp
-
memory/1744-90-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1744-103-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1744-104-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2032-119-0x0000000000210000-0x000000000025E000-memory.dmpFilesize
312KB
-
memory/2032-127-0x0000000000210000-0x000000000025E000-memory.dmpFilesize
312KB
-
memory/2032-113-0x0000000000210000-0x000000000025E000-memory.dmpFilesize
312KB
-
memory/2032-71-0x0000000000000000-mapping.dmp
-
memory/2032-83-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/2032-338-0x0000000000210000-0x000000000025E000-memory.dmpFilesize
312KB
-
memory/2032-240-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/2032-110-0x0000000000210000-0x000000000025E000-memory.dmpFilesize
312KB
-
memory/2036-128-0x00000000006A0000-0x00000000006EE000-memory.dmpFilesize
312KB
-
memory/2036-133-0x00000000006A0000-0x00000000006EE000-memory.dmpFilesize
312KB
-
memory/2036-75-0x0000000000000000-mapping.dmp
-
memory/2036-72-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/2036-121-0x00000000006A0000-0x00000000006EE000-memory.dmpFilesize
312KB
-
memory/2036-86-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/2036-339-0x00000000006A0000-0x00000000006EE000-memory.dmpFilesize
312KB
-
memory/2036-115-0x00000000006A0000-0x00000000006EE000-memory.dmpFilesize
312KB