Analysis
-
max time kernel
49s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28/11/2022, 06:08
Static task
static1
Behavioral task
behavioral1
Sample
7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe
Resource
win10v2004-20221111-en
General
-
Target
7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe
-
Size
356KB
-
MD5
77c5b14bbb92ded1ffdd415e9624d208
-
SHA1
0f0a4c2db9e443244db276ae811a266a0561506d
-
SHA256
7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea
-
SHA512
ef547cde97de9d06b31c14d6070160e53bf94f73162889a7799651d5d56dc3799c935e6129748ac7c5b7d7659e5177d22c37b5335a377edacb6ea2325eeb9715
-
SSDEEP
6144:YJXPUF2odfWbeDA0kZtCiyxhrTWLSJxWqwQakUCz6:YtUFybe4YFEAxOQ1Nz
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 912 tmpNPYD.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 912 tmpNPYD.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 912 tmpNPYD.exe 912 tmpNPYD.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 912 tmpNPYD.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 912 tmpNPYD.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1500 2012 7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe 26 PID 2012 wrote to memory of 1500 2012 7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe 26 PID 2012 wrote to memory of 1500 2012 7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe 26 PID 1500 wrote to memory of 912 1500 cmd.exe 28 PID 1500 wrote to memory of 912 1500 cmd.exe 28 PID 1500 wrote to memory of 912 1500 cmd.exe 28 PID 1500 wrote to memory of 912 1500 cmd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe"C:\Users\Admin\AppData\Local\Temp\7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\cmd.exe"cmd" /c cd %temp% & start /B tmpNPYD.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\tmpNPYD.exetmpNPYD.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:912
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD56da6e11cf900c0825092b8e5c4cddde4
SHA1b5f8461b74d432fad52de4d5d346da28a7f20e01
SHA256f46162f715956e398a2e45babecc9b0407d3a7eba21f968009033457876627bf
SHA5121130e21be836d1884fe4f4b543c692b4dbae8a911dd83a2e6cb79079e69e20234e682d08b488309d5dadf0e48d82709a10140f64f36a85defe0be288bc9ab672
-
Filesize
280KB
MD56da6e11cf900c0825092b8e5c4cddde4
SHA1b5f8461b74d432fad52de4d5d346da28a7f20e01
SHA256f46162f715956e398a2e45babecc9b0407d3a7eba21f968009033457876627bf
SHA5121130e21be836d1884fe4f4b543c692b4dbae8a911dd83a2e6cb79079e69e20234e682d08b488309d5dadf0e48d82709a10140f64f36a85defe0be288bc9ab672