Analysis
-
max time kernel
175s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 06:10
Static task
static1
Behavioral task
behavioral1
Sample
6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
Resource
win10v2004-20221111-en
General
-
Target
6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
-
Size
147KB
-
MD5
2653b0e170899c2b5eab42d5c2f618c3
-
SHA1
1f6a06110ddbba0a6f752c2ffd37d20670ae59a5
-
SHA256
6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462
-
SHA512
f0901eee7c60572b9da1e21a97c627f61a7a19b38db12b4bcd1b016d79c26e64c400ec776a048e9060e075c9be0aab4c56e9c21e94a42248d7fc10d5d9d70fb1
-
SSDEEP
3072:/9PmZGDb1lnTikqY1jnyAsHjwwT+DqCM+mduhWc+9kHNVYDYuG:vf15uBYy2eaMv8v+9sY
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11de6622.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11de662 = "C:\\11de6622\\11de6622.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*1de662 = "C:\\11de6622\\11de6622.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11de6622 = "C:\\Users\\Admin\\AppData\\Roaming\\11de6622.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*1de6622 = "C:\\Users\\Admin\\AppData\\Roaming\\11de6622.exe" explorer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 59 ip-addr.es 67 myexternalip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exedescription pid process target process PID 364 set thread context of 4668 364 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exeexplorer.exepid process 4668 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe 2500 explorer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exeexplorer.exedescription pid process target process PID 364 wrote to memory of 4668 364 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe PID 364 wrote to memory of 4668 364 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe PID 364 wrote to memory of 4668 364 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe PID 364 wrote to memory of 4668 364 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe PID 364 wrote to memory of 4668 364 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe PID 364 wrote to memory of 4668 364 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe PID 364 wrote to memory of 4668 364 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe PID 364 wrote to memory of 4668 364 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe PID 364 wrote to memory of 4668 364 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe PID 364 wrote to memory of 4668 364 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe PID 4668 wrote to memory of 2500 4668 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe explorer.exe PID 4668 wrote to memory of 2500 4668 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe explorer.exe PID 4668 wrote to memory of 2500 4668 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe explorer.exe PID 2500 wrote to memory of 2060 2500 explorer.exe svchost.exe PID 2500 wrote to memory of 2060 2500 explorer.exe svchost.exe PID 2500 wrote to memory of 2060 2500 explorer.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe"C:\Users\Admin\AppData\Local\Temp\6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe"C:\Users\Admin\AppData\Local\Temp\6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/364-133-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/364-135-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/2060-139-0x0000000000000000-mapping.dmp
-
memory/2060-140-0x00000000006A0000-0x00000000006C5000-memory.dmpFilesize
148KB
-
memory/2500-136-0x0000000000000000-mapping.dmp
-
memory/2500-138-0x0000000000150000-0x0000000000175000-memory.dmpFilesize
148KB
-
memory/4668-134-0x0000000000000000-mapping.dmp
-
memory/4668-137-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB