Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 05:24
Behavioral task
behavioral1
Sample
e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exe
Resource
win10v2004-20220812-en
General
-
Target
e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exe
-
Size
2.6MB
-
MD5
9169593c5a894e215ca9560c099b9ec3
-
SHA1
f9c8df38a3c5e87a8820f23fb1f188338fd048c0
-
SHA256
e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389
-
SHA512
d77817e0bbfe46fc14aa2164d6117bfcb2115079730bd4ea84f021f7e54f9704a3689ff55a45f9286bdaaf1fc330dc38cd15e1a8ac93c7522f316ee21626b85a
-
SSDEEP
49152:mA0oig7F88SbNUrsT3wshHYU/YGF5xSBFgPT867pe+HUpuJTvDD:9iUSRUwlhHh/YGF5xI6n7pe+Ppf
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2476-132-0x0000000000400000-0x0000000000ABC000-memory.dmp vmprotect behavioral2/memory/2476-133-0x0000000000400000-0x0000000000ABC000-memory.dmp vmprotect behavioral2/memory/2476-136-0x0000000000400000-0x0000000000ABC000-memory.dmp vmprotect -
Loads dropped DLL 1 IoCs
Processes:
e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exepid process 2476 e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exepid process 2476 e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exe 2476 e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exedescription pid process Token: SeDebugPrivilege 2476 e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exepid process 2476 e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exe 2476 e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exe 2476 e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exe"C:\Users\Admin\AppData\Local\Temp\e3e12e949bbc664e04fd95243e44dc8eebad49760917716338f2eedde7a5c389.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Hook.dllFilesize
4KB
MD54659f476b80e067bceeaa8e821c3fab8
SHA130b0e2d113912b183105ebf0e75f678d9c1130f0
SHA256332b120cffd66dd15be2efbd7fe53a741056a50ade12b70c4f9513af85adc5c1
SHA512a8bdbecb4b4c81af597c23a6231b6cea71a9ac7ec9e16c464fabc210638eaff065fc876ec3aa5e8bea6773d075745d638355c0ef6269bfd2eaaf4a15f5d30ec6
-
memory/2476-132-0x0000000000400000-0x0000000000ABC000-memory.dmpFilesize
6.7MB
-
memory/2476-133-0x0000000000400000-0x0000000000ABC000-memory.dmpFilesize
6.7MB
-
memory/2476-136-0x0000000000400000-0x0000000000ABC000-memory.dmpFilesize
6.7MB