Analysis
-
max time kernel
202s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
20A565943964AC488DCCCCB0F12092DB.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
20A565943964AC488DCCCCB0F12092DB.exe
Resource
win10v2004-20220901-en
General
-
Target
20A565943964AC488DCCCCB0F12092DB.exe
-
Size
343KB
-
MD5
20a565943964ac488dccccb0f12092db
-
SHA1
d9faa5107f89b543fe0514e2f04f2bb7ad38e176
-
SHA256
ec4cb2623fbc85bc3aabcad5a1ea93966cc2e61c653b993fa5104021cd0f54f1
-
SHA512
d033b52c8957a54ba4db5463cbfda607ad080861cce8c4d505bf5bdbd09bfe7a59b6d4af94514cd5b78c48fcf4739f9d2e46cd98c81097da6151e98454e6ab97
-
SSDEEP
3072:DQ8Jstxp5/YDHh8fzYQYwRVyv6MIWoy+hdEdZTpDbexB7sg+Rhtk7v:UBxpkhFQt4v67oA6rgsrIL
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1014a921.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*014a92 = "C:\\1014a921\\1014a921.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\1014a921 = "C:\\Users\\Admin\\AppData\\Roaming\\1014a921.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*014a921 = "C:\\Users\\Admin\\AppData\\Roaming\\1014a921.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\1014a92 = "C:\\1014a921\\1014a921.exe" explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
20A565943964AC488DCCCCB0F12092DB.exepid process 568 20A565943964AC488DCCCCB0F12092DB.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
20A565943964AC488DCCCCB0F12092DB.exepid process 568 20A565943964AC488DCCCCB0F12092DB.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
20A565943964AC488DCCCCB0F12092DB.exedescription pid process target process PID 568 wrote to memory of 788 568 20A565943964AC488DCCCCB0F12092DB.exe explorer.exe PID 568 wrote to memory of 788 568 20A565943964AC488DCCCCB0F12092DB.exe explorer.exe PID 568 wrote to memory of 788 568 20A565943964AC488DCCCCB0F12092DB.exe explorer.exe PID 568 wrote to memory of 788 568 20A565943964AC488DCCCCB0F12092DB.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20A565943964AC488DCCCCB0F12092DB.exe"C:\Users\Admin\AppData\Local\Temp\20A565943964AC488DCCCCB0F12092DB.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/568-54-0x0000000074E61000-0x0000000074E63000-memory.dmpFilesize
8KB
-
memory/568-56-0x00000000002B0000-0x00000000002D2000-memory.dmpFilesize
136KB
-
memory/568-58-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/788-55-0x0000000000000000-mapping.dmp
-
memory/788-59-0x0000000074A41000-0x0000000074A43000-memory.dmpFilesize
8KB
-
memory/788-60-0x00000000000C0000-0x00000000000E5000-memory.dmpFilesize
148KB