Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 12:57
Static task
static1
Behavioral task
behavioral1
Sample
b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe
Resource
win10v2004-20221111-en
General
-
Target
b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe
-
Size
253KB
-
MD5
6f02982b41e04cbc36fb63774da221ae
-
SHA1
8a011b383e42e6c71800c6fac13b85c00a0e5640
-
SHA256
b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c
-
SHA512
4eee994bd8f28180a2ceeffe939a2f99dbb2c2e70192f7128f83bace85b6c9e78cc048f88be3afeecd2d71f4d7e4eb8ab505df02a65292d43bfcaf00b9f07b52
-
SSDEEP
6144:aLBKpsNzAOR36nd5vr5dRBa0HzM04w4Ad:aNWshD3UXz5dPzM04w4Ad
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2012-64-0x0000000000400000-0x0000000001400000-memory.dmp cryptone behavioral1/memory/904-65-0x00000000000C0000-0x00000000000E9000-memory.dmp cryptone behavioral1/memory/820-72-0x0000000000080000-0x00000000000A9000-memory.dmp cryptone behavioral1/memory/820-73-0x0000000000080000-0x00000000000A9000-memory.dmp cryptone behavioral1/memory/820-71-0x0000000000080000-0x00000000000A9000-memory.dmp cryptone behavioral1/memory/2012-89-0x0000000000400000-0x0000000001400000-memory.dmp cryptone behavioral1/memory/904-92-0x00000000000C0000-0x00000000000E9000-memory.dmp cryptone -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 820 notepad.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
svchost.exenotepad.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe System Incorporated = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\Reader_sl.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Puctci = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Puctci.exe" notepad.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exenotepad.exedescription ioc process File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\D: notepad.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\U: svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exedescription pid process target process PID 2012 set thread context of 1320 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svchost.exeb477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exepid process 904 svchost.exe 1320 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exesvchost.execalc.exenotepad.exedescription pid process Token: SeDebugPrivilege 1320 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe Token: SeDebugPrivilege 904 svchost.exe Token: SeDebugPrivilege 888 calc.exe Token: SeDebugPrivilege 820 notepad.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exesvchost.exeb477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exedescription pid process target process PID 2012 wrote to memory of 904 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe svchost.exe PID 2012 wrote to memory of 904 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe svchost.exe PID 2012 wrote to memory of 904 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe svchost.exe PID 2012 wrote to memory of 904 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe svchost.exe PID 2012 wrote to memory of 888 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe calc.exe PID 2012 wrote to memory of 888 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe calc.exe PID 2012 wrote to memory of 888 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe calc.exe PID 2012 wrote to memory of 888 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe calc.exe PID 2012 wrote to memory of 888 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe calc.exe PID 2012 wrote to memory of 904 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe svchost.exe PID 2012 wrote to memory of 888 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe calc.exe PID 904 wrote to memory of 820 904 svchost.exe notepad.exe PID 904 wrote to memory of 820 904 svchost.exe notepad.exe PID 904 wrote to memory of 820 904 svchost.exe notepad.exe PID 904 wrote to memory of 820 904 svchost.exe notepad.exe PID 904 wrote to memory of 820 904 svchost.exe notepad.exe PID 2012 wrote to memory of 1320 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe PID 2012 wrote to memory of 1320 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe PID 2012 wrote to memory of 1320 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe PID 2012 wrote to memory of 1320 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe PID 2012 wrote to memory of 1320 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe PID 2012 wrote to memory of 1320 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe PID 2012 wrote to memory of 1320 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe PID 2012 wrote to memory of 1320 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe PID 2012 wrote to memory of 1320 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe PID 2012 wrote to memory of 1320 2012 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe PID 1320 wrote to memory of 904 1320 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe svchost.exe PID 1320 wrote to memory of 904 1320 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe svchost.exe PID 1320 wrote to memory of 888 1320 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe calc.exe PID 1320 wrote to memory of 888 1320 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe calc.exe PID 1320 wrote to memory of 820 1320 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe notepad.exe PID 1320 wrote to memory of 820 1320 b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe"C:\Users\Admin\AppData\Local\Temp\b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\SysWOW64\notepad.exe"3⤵
- Deletes itself
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\SysWOW64\calc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe"C:\Users\Admin\AppData\Local\Temp\b477b591e97b9baf766bc3d7c14d0c1e51f604b07c55ab3585c5800830769f5c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/820-91-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/820-112-0x00000000002E0000-0x000000000032E000-memory.dmpFilesize
312KB
-
memory/820-327-0x00000000002E0000-0x000000000032E000-memory.dmpFilesize
312KB
-
memory/820-177-0x00000000002E0000-0x000000000032E000-memory.dmpFilesize
312KB
-
memory/820-119-0x00000000002E0000-0x000000000032E000-memory.dmpFilesize
312KB
-
memory/820-126-0x00000000002E0000-0x000000000032E000-memory.dmpFilesize
312KB
-
memory/820-71-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/820-74-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/820-73-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/820-69-0x0000000000000000-mapping.dmp
-
memory/820-72-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/888-131-0x00000000002F0000-0x000000000033E000-memory.dmpFilesize
312KB
-
memory/888-113-0x00000000002F0000-0x000000000033E000-memory.dmpFilesize
312KB
-
memory/888-324-0x0000000000328000-0x000000000032A000-memory.dmpFilesize
8KB
-
memory/888-326-0x00000000002F0000-0x000000000033E000-memory.dmpFilesize
312KB
-
memory/888-57-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/888-61-0x0000000000000000-mapping.dmp
-
memory/888-66-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/888-125-0x00000000002F0000-0x000000000033E000-memory.dmpFilesize
312KB
-
memory/888-107-0x00000000002F0000-0x000000000033E000-memory.dmpFilesize
312KB
-
memory/888-120-0x00000000002F0000-0x000000000033E000-memory.dmpFilesize
312KB
-
memory/888-102-0x00000000002F0000-0x000000000033E000-memory.dmpFilesize
312KB
-
memory/904-127-0x0000000000200000-0x000000000024E000-memory.dmpFilesize
312KB
-
memory/904-114-0x0000000000200000-0x000000000024E000-memory.dmpFilesize
312KB
-
memory/904-56-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/904-92-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/904-121-0x0000000000200000-0x000000000024E000-memory.dmpFilesize
312KB
-
memory/904-98-0x0000000000200000-0x000000000024E000-memory.dmpFilesize
312KB
-
memory/904-325-0x0000000000200000-0x000000000024E000-memory.dmpFilesize
312KB
-
memory/904-65-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/904-60-0x0000000000000000-mapping.dmp
-
memory/904-101-0x0000000000200000-0x000000000024E000-memory.dmpFilesize
312KB
-
memory/904-106-0x0000000000200000-0x000000000024E000-memory.dmpFilesize
312KB
-
memory/1320-118-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1320-78-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1320-84-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1320-75-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1320-88-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1320-80-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1320-93-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1320-85-0x0000000000410910-mapping.dmp
-
memory/1320-82-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1320-90-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1320-76-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2012-64-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/2012-55-0x00000000001D0000-0x00000000001E3000-memory.dmpFilesize
76KB
-
memory/2012-89-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/2012-54-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB