Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 17:22
Static task
static1
Behavioral task
behavioral1
Sample
56d2850272256c0312f8d6484c69d97dbfa15870a368153fa93734bab829c21b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
56d2850272256c0312f8d6484c69d97dbfa15870a368153fa93734bab829c21b.exe
Resource
win10v2004-20220901-en
General
-
Target
56d2850272256c0312f8d6484c69d97dbfa15870a368153fa93734bab829c21b.exe
-
Size
359KB
-
MD5
78ea828e9434fbe1ca631f2d812bb603
-
SHA1
6d24bb6271b60926a2842060f4cca46900833d5f
-
SHA256
56d2850272256c0312f8d6484c69d97dbfa15870a368153fa93734bab829c21b
-
SHA512
a19127383ba86e6a649bbd076b88e31167841797b00b2b95a82332f520db998e319dfb4f7edfc18908cf3f1ce26b3332a1e9530d1fe137aabdbadba4911408fe
-
SSDEEP
6144:03lgk4W2GD/X1ku/xUffWkMk4T5iup7blk2k7uEcldPlLWAfTfb90tTU:VcD/X1//Wnb65lJgk9yAh
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5024 laezn.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\Currentversion\Run laezn.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{32C81FC9-556D-BCA0-B82C-F77E75D9ED7C} = "C:\\Users\\Admin\\AppData\\Roaming\\Wekuwy\\laezn.exe" laezn.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4964 set thread context of 1584 4964 56d2850272256c0312f8d6484c69d97dbfa15870a368153fa93734bab829c21b.exe 83 -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe 5024 laezn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4964 wrote to memory of 5024 4964 56d2850272256c0312f8d6484c69d97dbfa15870a368153fa93734bab829c21b.exe 82 PID 4964 wrote to memory of 5024 4964 56d2850272256c0312f8d6484c69d97dbfa15870a368153fa93734bab829c21b.exe 82 PID 4964 wrote to memory of 5024 4964 56d2850272256c0312f8d6484c69d97dbfa15870a368153fa93734bab829c21b.exe 82 PID 5024 wrote to memory of 2312 5024 laezn.exe 55 PID 5024 wrote to memory of 2312 5024 laezn.exe 55 PID 5024 wrote to memory of 2312 5024 laezn.exe 55 PID 5024 wrote to memory of 2312 5024 laezn.exe 55 PID 5024 wrote to memory of 2312 5024 laezn.exe 55 PID 5024 wrote to memory of 2340 5024 laezn.exe 54 PID 5024 wrote to memory of 2340 5024 laezn.exe 54 PID 5024 wrote to memory of 2340 5024 laezn.exe 54 PID 5024 wrote to memory of 2340 5024 laezn.exe 54 PID 5024 wrote to memory of 2340 5024 laezn.exe 54 PID 5024 wrote to memory of 2396 5024 laezn.exe 53 PID 5024 wrote to memory of 2396 5024 laezn.exe 53 PID 5024 wrote to memory of 2396 5024 laezn.exe 53 PID 5024 wrote to memory of 2396 5024 laezn.exe 53 PID 5024 wrote to memory of 2396 5024 laezn.exe 53 PID 5024 wrote to memory of 3068 5024 laezn.exe 48 PID 5024 wrote to memory of 3068 5024 laezn.exe 48 PID 5024 wrote to memory of 3068 5024 laezn.exe 48 PID 5024 wrote to memory of 3068 5024 laezn.exe 48 PID 5024 wrote to memory of 3068 5024 laezn.exe 48 PID 5024 wrote to memory of 2632 5024 laezn.exe 47 PID 5024 wrote to memory of 2632 5024 laezn.exe 47 PID 5024 wrote to memory of 2632 5024 laezn.exe 47 PID 5024 wrote to memory of 2632 5024 laezn.exe 47 PID 5024 wrote to memory of 2632 5024 laezn.exe 47 PID 5024 wrote to memory of 3236 5024 laezn.exe 46 PID 5024 wrote to memory of 3236 5024 laezn.exe 46 PID 5024 wrote to memory of 3236 5024 laezn.exe 46 PID 5024 wrote to memory of 3236 5024 laezn.exe 46 PID 5024 wrote to memory of 3236 5024 laezn.exe 46 PID 5024 wrote to memory of 3328 5024 laezn.exe 22 PID 5024 wrote to memory of 3328 5024 laezn.exe 22 PID 5024 wrote to memory of 3328 5024 laezn.exe 22 PID 5024 wrote to memory of 3328 5024 laezn.exe 22 PID 5024 wrote to memory of 3328 5024 laezn.exe 22 PID 5024 wrote to memory of 3408 5024 laezn.exe 45 PID 5024 wrote to memory of 3408 5024 laezn.exe 45 PID 5024 wrote to memory of 3408 5024 laezn.exe 45 PID 5024 wrote to memory of 3408 5024 laezn.exe 45 PID 5024 wrote to memory of 3408 5024 laezn.exe 45 PID 5024 wrote to memory of 3496 5024 laezn.exe 23 PID 5024 wrote to memory of 3496 5024 laezn.exe 23 PID 5024 wrote to memory of 3496 5024 laezn.exe 23 PID 5024 wrote to memory of 3496 5024 laezn.exe 23 PID 5024 wrote to memory of 3496 5024 laezn.exe 23 PID 5024 wrote to memory of 3648 5024 laezn.exe 24 PID 5024 wrote to memory of 3648 5024 laezn.exe 24 PID 5024 wrote to memory of 3648 5024 laezn.exe 24 PID 5024 wrote to memory of 3648 5024 laezn.exe 24 PID 5024 wrote to memory of 3648 5024 laezn.exe 24 PID 5024 wrote to memory of 4716 5024 laezn.exe 26 PID 5024 wrote to memory of 4716 5024 laezn.exe 26 PID 5024 wrote to memory of 4716 5024 laezn.exe 26 PID 5024 wrote to memory of 4716 5024 laezn.exe 26 PID 5024 wrote to memory of 4716 5024 laezn.exe 26 PID 5024 wrote to memory of 4964 5024 laezn.exe 81 PID 5024 wrote to memory of 4964 5024 laezn.exe 81 PID 5024 wrote to memory of 4964 5024 laezn.exe 81 PID 5024 wrote to memory of 4964 5024 laezn.exe 81 PID 5024 wrote to memory of 4964 5024 laezn.exe 81 PID 4964 wrote to memory of 1584 4964 56d2850272256c0312f8d6484c69d97dbfa15870a368153fa93734bab829c21b.exe 83
Processes
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3328
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3496
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3648
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4716
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3408
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2632
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\56d2850272256c0312f8d6484c69d97dbfa15870a368153fa93734bab829c21b.exe"C:\Users\Admin\AppData\Local\Temp\56d2850272256c0312f8d6484c69d97dbfa15870a368153fa93734bab829c21b.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Roaming\Wekuwy\laezn.exe"C:\Users\Admin\AppData\Roaming\Wekuwy\laezn.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5024
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8a07996a.bat"3⤵PID:1584
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2340
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2312
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307B
MD58a2910a71f6e330f133f8ff48d9cc871
SHA168293d2b5c2651cb936b0d0fc56e4b07f2900b91
SHA256937da1ab7674d7b1838926d338385d264cc1c94cec5d6a38651c9fa3a2659181
SHA512d9b2ca6032fcf21833890c59d2eb784fd9f6abf091c88987a1f8f64442a83d23d56235374ac9b20f9af9477d0c6f1ccf03fbb9990d951afb09fd55734e6e7300
-
Filesize
359KB
MD56df02ef9cdc9cd74b28fdfe907ad63ce
SHA169b80ca74c75852e51f95eb1f5f856c69a17d35e
SHA256f3539ac8ba6f6b3587410466ab1c0600e264f8fd59492133cd6495cab478d6c8
SHA5120140a676e834dd09127cbaacceddee29c4f2ec037c5942d2dcc0fac15c0bd745d2c8c6a578a8f070e364aa7108752c34767c3fc88ac6357155cef0d9f354aeca
-
Filesize
359KB
MD56df02ef9cdc9cd74b28fdfe907ad63ce
SHA169b80ca74c75852e51f95eb1f5f856c69a17d35e
SHA256f3539ac8ba6f6b3587410466ab1c0600e264f8fd59492133cd6495cab478d6c8
SHA5120140a676e834dd09127cbaacceddee29c4f2ec037c5942d2dcc0fac15c0bd745d2c8c6a578a8f070e364aa7108752c34767c3fc88ac6357155cef0d9f354aeca