Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 20:36
Static task
static1
Behavioral task
behavioral1
Sample
ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe
Resource
win10v2004-20220812-en
General
-
Target
ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe
-
Size
314KB
-
MD5
5154b54879098779ace257477c524cec
-
SHA1
1b03fd2e17ee5c8a0ecd1b8aabad80c87338174a
-
SHA256
ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2
-
SHA512
28a90ac64f0c1964d077cd2556e760c207843fe0b0f318894efe8f5f755e9d326d6156821ff54c783ce82936b5f5c2507215d86d864a3047c8789adc8c0fa8ba
-
SSDEEP
6144:SROaTaPB0LqOFV/+s08n2+SJXbXYqG7w51:S/GPmV/+snuJXbXzG
Malware Config
Signatures
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe File opened for modification C:\Windows\assembly\Desktop.ini ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe File created C:\Windows\assembly\Desktop.ini ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe File opened for modification C:\Windows\assembly\Desktop.ini ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2620 ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2620 wrote to memory of 4368 2620 ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe 81 PID 2620 wrote to memory of 4368 2620 ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe 81 PID 4368 wrote to memory of 2760 4368 csc.exe 83 PID 4368 wrote to memory of 2760 4368 csc.exe 83 PID 2620 wrote to memory of 1572 2620 ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe 85 PID 2620 wrote to memory of 1572 2620 ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe 85 PID 1572 wrote to memory of 4092 1572 csc.exe 87 PID 1572 wrote to memory of 4092 1572 csc.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe"C:\Users\Admin\AppData\Local\Temp\ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h0eltmxb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4DA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD4D9.tmp"3⤵PID:2760
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qxnoi9ns.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29EF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC29EE.tmp"3⤵PID:4092
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56580ebed9ce5a541ce0ced94ee683d51
SHA1756eea24276dc1f0f6ed7110528857b034c59bdf
SHA25606055507e80de70fa57c6e968eda2653201712fdeaa5994f4e78b31da1dec726
SHA5125d843ba4f2978eced1bc9ec7a38046b415706a8021e6e9983353b500e64fbdd6c106f6d6b6315efc6fcfc7440ede46ff823b69c96d80054f0d656ea251ec8b6b
-
Filesize
1KB
MD5a0b70f599fe06f10cab4183c9000f310
SHA160d320ddcd5c75fc1bbffe7b876bda64c5aada86
SHA256eb8c81a72a3f675bcdf9ab8b019a758fd5dc082bcce07ff035938eb0f167484e
SHA5125791e984cb8349710a4e7b6bbcbb55baf283e8f6ab3ea7c2f23c73e83949c4e648c6fb69537de5dbcda4f1536150bf4a5be5273d3a941144110a163d5bbcf560
-
Filesize
8KB
MD521f9c3f3ecefb9439c5889bafb8b5331
SHA10d4e67f62255372738d3b732bfdd2f50f8243e0d
SHA25612a17439a6b53954fb40a29023e1bfa0c2a386dbbe1e9831d674e85adf01bc93
SHA5126858c8e14a53e71874121de8b4c7ba802cf15ad9311993d3c3089b51ea3de490613aee32aee0208ba3609d84beb922ba063f7812d50cf9b9dc602137212ac85d
-
Filesize
9KB
MD5f1d51f99aea82ff03d43000985f3a14c
SHA1d076ed77b442698a6f9d7b34a161794751b26cd4
SHA25624f93982dd1c4e38c08b36da35113ef27ec4d1b5da3287913057a02f0ab44020
SHA512d86c6b8c0d7294366d2e262cc46e142224a83219b2510a37deff3f5c7bf5c75be814ced731385e2db97ad1c4278ac178fec95a113ee7819287647cab8de009c9
-
Filesize
652B
MD55f2c0dc6fc82fafaf798ef1bc9164c76
SHA17dbd80f92dd239a31820025ad8f368b8e82b1415
SHA256f2f80dfd03dd4a51b9d44b58ad4f6831ee212f1066f26e008ebac4c65546ddff
SHA512bb8512a57f3e32663c0c8fc9ee01bfbb4c575a91fedd6fd80ac7393c18eb7b39c283e91528afbaf49f6affba28219e5e14dd5ca1aafd12eb279c15655567dd55
-
Filesize
652B
MD5570aacc357fe0ae3f025ed10b2d8fbdd
SHA13ce24aa2effb2619cb6d8a3f3cdbab4bbbef1f67
SHA25657e2c9114c4372e3e715bd5c64566eee1b4c14686a63abc774c3941e55e5c6a4
SHA512ac8d6a603fd1ca221cbc65bc7b2381653f62bfff29cbfb4426482a092883d5cd928974aec618403fbb4c76356902c07ed70c1d9c9f3a169f7264eb2cbfd31a61
-
Filesize
10KB
MD5fb01217e8ce4a28a622198e32c3e3379
SHA18b4614e295fbb55238f8f1e2daac85115906eb87
SHA2564aa0bb88bc1631647e34d7b653c7b076ef6fd46855425aa03215f8f0d21f90fb
SHA51222c7012362aee88d9fa80bbcd4fc6f3aa6322381e01b4f5034d385f91400c39657bb1985762db799fd2cfb99bbc12b20c3598259b26ad8a30a7a144e39e8038a
-
Filesize
639B
MD53853f4f347f606287e9401dc54301ce4
SHA1e30fcac1fba21b69e200d3190a901a9b8cd23ef7
SHA25646267586ccdfc53aa83c72995d19a8fb3256cf26fb07f05b923e1e99177a5843
SHA512bf84db2acbe597417f4543b712a366a33ff45d7d475a11e3851970c1ec9c00f00b6dadc2f449ad9833f054656ff0d62e7af0affd91aa6419d4dcded0ccbe2553
-
Filesize
11KB
MD52bfb1dde57a4172c76292f3765dca81c
SHA1f1aa7d32d70d0c91d353396ad026edf7d7923d40
SHA25671d68c299d69bf541816338a86d7ebef6ac56f82e5a93b3aee6794d4d00cd942
SHA5122a70be783887e4d1544d8a68d3fb6a0db240066223dc413be89f3b2765cd73df0d2a6a79bcb6f3971bda24d3fb582cc98bbd35fcd947032bc2c16db2325b00fb
-
Filesize
639B
MD54abd13e7a162655cecb316d8e66fc27f
SHA16b34a3c7f62b9c7fa3f0e9273179eb212ba70c00
SHA25645a3996c9663e1d23294f2d3fc25096167022a61f6d3b4e70c902ed7cde7e299
SHA512cce43441a6c3b290c88c89324e878db6cae123e283a9cc1731ca4556f95f82d24fb2952cade6ab6a8f022d0df2960b14cedc670c996861d619a715faf2a58883