Analysis
-
max time kernel
29s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 17:29
Static task
static1
Behavioral task
behavioral1
Sample
b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe
Resource
win10v2004-20220812-en
General
-
Target
b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe
-
Size
65KB
-
MD5
eff66439bbbae2cd2194ba453ac3d977
-
SHA1
9d171e379afcdeedb2430a62ca43fd2b30a37995
-
SHA256
b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700
-
SHA512
8ac468e0eb61c8916f3ff43128062ce416fc50aa7ae10a7f12f2ef996a0701ccbe63bdd1c2bc2d81dee9f240da61413d7b7019194f32e27ed2a916523fec593d
-
SSDEEP
1536:Ck8VC0V3/h7puxJxcZGRUPPnpNbx05Cxk:Ck8VC0jpOs1pNbG5d
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winver.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run winver.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\264CF504 = "C:\\Users\\Admin\\AppData\\Roaming\\264CF504\\bin.exe" winver.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exedescription pid process target process PID 2252 set thread context of 4244 2252 b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winver.exepid process 4712 winver.exe 4712 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 4712 winver.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exeb88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exewinver.exedescription pid process target process PID 2252 wrote to memory of 4244 2252 b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe PID 2252 wrote to memory of 4244 2252 b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe PID 2252 wrote to memory of 4244 2252 b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe PID 2252 wrote to memory of 4244 2252 b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe PID 2252 wrote to memory of 4244 2252 b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe PID 2252 wrote to memory of 4244 2252 b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe PID 2252 wrote to memory of 4244 2252 b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe PID 4244 wrote to memory of 4712 4244 b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe winver.exe PID 4244 wrote to memory of 4712 4244 b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe winver.exe PID 4244 wrote to memory of 4712 4244 b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe winver.exe PID 4244 wrote to memory of 4712 4244 b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe winver.exe PID 4712 wrote to memory of 376 4712 winver.exe Explorer.EXE PID 4712 wrote to memory of 2452 4712 winver.exe sihost.exe PID 4712 wrote to memory of 2468 4712 winver.exe svchost.exe PID 4712 wrote to memory of 2672 4712 winver.exe taskhostw.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe"C:\Users\Admin\AppData\Local\Temp\b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe"C:\Users\Admin\AppData\Local\Temp\b88d035f7654fc621cc6c4f3b58fded65272e7576b8e78bbc78b7dd4d524b700.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/376-139-0x0000000000370000-0x0000000000377000-memory.dmpFilesize
28KB
-
memory/2252-132-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/2252-135-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/4244-133-0x0000000000000000-mapping.dmp
-
memory/4244-137-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/4244-138-0x00000000010C0000-0x0000000001AC0000-memory.dmpFilesize
10.0MB
-
memory/4712-134-0x0000000000000000-mapping.dmp
-
memory/4712-136-0x00000000011A0000-0x00000000011A7000-memory.dmpFilesize
28KB