Analysis
-
max time kernel
223s -
max time network
248s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 05:45
Static task
static1
Behavioral task
behavioral1
Sample
c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe
Resource
win10v2004-20221111-en
General
-
Target
c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe
-
Size
201KB
-
MD5
3d3ad4451fe3dbbf4b65019c45350ebe
-
SHA1
b9ce92343985301e9fb9c9bbba3d7882d4d8c206
-
SHA256
c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357
-
SHA512
c45a874c766ceb415106cc2d6a4f0325e62d1f5d34d4b6320a3d2ea4040c5a786fa6b83c674aa2242a7e119b8c114521009f7b8db40180f2b65baf2620780af1
-
SSDEEP
6144:K6RUQzD5g9q7hiQc6vxLX3vxq3w+XEUZAVIr9:KVQz1vNiQJ9X3v431EBVe
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11de6622.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11de662 = "C:\\11de6622\\11de6622.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*1de662 = "C:\\11de6622\\11de6622.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11de6622 = "C:\\Users\\Admin\\AppData\\Roaming\\11de6622.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*1de6622 = "C:\\Users\\Admin\\AppData\\Roaming\\11de6622.exe" explorer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 52 myexternalip.com 42 ip-addr.es -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exedescription pid process target process PID 4324 set thread context of 3912 4324 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exeexplorer.exepid process 3912 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe 2976 explorer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exec4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exeexplorer.exedescription pid process target process PID 4324 wrote to memory of 3912 4324 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe PID 4324 wrote to memory of 3912 4324 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe PID 4324 wrote to memory of 3912 4324 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe PID 4324 wrote to memory of 3912 4324 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe PID 4324 wrote to memory of 3912 4324 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe PID 4324 wrote to memory of 3912 4324 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe PID 4324 wrote to memory of 3912 4324 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe PID 4324 wrote to memory of 3912 4324 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe PID 4324 wrote to memory of 3912 4324 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe PID 4324 wrote to memory of 3912 4324 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe PID 3912 wrote to memory of 2976 3912 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe explorer.exe PID 3912 wrote to memory of 2976 3912 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe explorer.exe PID 3912 wrote to memory of 2976 3912 c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe explorer.exe PID 2976 wrote to memory of 3956 2976 explorer.exe svchost.exe PID 2976 wrote to memory of 3956 2976 explorer.exe svchost.exe PID 2976 wrote to memory of 3956 2976 explorer.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe"C:\Users\Admin\AppData\Local\Temp\c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe"C:\Users\Admin\AppData\Local\Temp\c4db759ef1dc9d4d8ca8e776fa7d2e4bdc91e7d8d91a2466121c7b72c45e1357.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2976-135-0x0000000000000000-mapping.dmp
-
memory/2976-137-0x0000000000C10000-0x0000000000C35000-memory.dmpFilesize
148KB
-
memory/3912-133-0x0000000000000000-mapping.dmp
-
memory/3912-136-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/3956-138-0x0000000000000000-mapping.dmp
-
memory/3956-139-0x00000000012F0000-0x0000000001315000-memory.dmpFilesize
148KB
-
memory/4324-132-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB
-
memory/4324-134-0x0000000075100000-0x00000000756B1000-memory.dmpFilesize
5.7MB