Analysis
-
max time kernel
150s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2022, 06:08
Static task
static1
Behavioral task
behavioral1
Sample
7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe
Resource
win10v2004-20221111-en
General
-
Target
7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe
-
Size
356KB
-
MD5
77c5b14bbb92ded1ffdd415e9624d208
-
SHA1
0f0a4c2db9e443244db276ae811a266a0561506d
-
SHA256
7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea
-
SHA512
ef547cde97de9d06b31c14d6070160e53bf94f73162889a7799651d5d56dc3799c935e6129748ac7c5b7d7659e5177d22c37b5335a377edacb6ea2325eeb9715
-
SSDEEP
6144:YJXPUF2odfWbeDA0kZtCiyxhrTWLSJxWqwQakUCz6:YtUFybe4YFEAxOQ1Nz
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2616 tmp56XK.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2616 tmp56XK.exe 2616 tmp56XK.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2616 tmp56XK.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2616 tmp56XK.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4292 wrote to memory of 540 4292 7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe 87 PID 4292 wrote to memory of 540 4292 7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe 87 PID 540 wrote to memory of 2616 540 cmd.exe 89 PID 540 wrote to memory of 2616 540 cmd.exe 89 PID 540 wrote to memory of 2616 540 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe"C:\Users\Admin\AppData\Local\Temp\7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c cd %temp% & start /B tmp56XK.exe2⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\tmp56XK.exetmp56XK.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD56da6e11cf900c0825092b8e5c4cddde4
SHA1b5f8461b74d432fad52de4d5d346da28a7f20e01
SHA256f46162f715956e398a2e45babecc9b0407d3a7eba21f968009033457876627bf
SHA5121130e21be836d1884fe4f4b543c692b4dbae8a911dd83a2e6cb79079e69e20234e682d08b488309d5dadf0e48d82709a10140f64f36a85defe0be288bc9ab672
-
Filesize
280KB
MD56da6e11cf900c0825092b8e5c4cddde4
SHA1b5f8461b74d432fad52de4d5d346da28a7f20e01
SHA256f46162f715956e398a2e45babecc9b0407d3a7eba21f968009033457876627bf
SHA5121130e21be836d1884fe4f4b543c692b4dbae8a911dd83a2e6cb79079e69e20234e682d08b488309d5dadf0e48d82709a10140f64f36a85defe0be288bc9ab672