Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
20A565943964AC488DCCCCB0F12092DB.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
20A565943964AC488DCCCCB0F12092DB.exe
Resource
win10v2004-20220901-en
General
-
Target
20A565943964AC488DCCCCB0F12092DB.exe
-
Size
343KB
-
MD5
20a565943964ac488dccccb0f12092db
-
SHA1
d9faa5107f89b543fe0514e2f04f2bb7ad38e176
-
SHA256
ec4cb2623fbc85bc3aabcad5a1ea93966cc2e61c653b993fa5104021cd0f54f1
-
SHA512
d033b52c8957a54ba4db5463cbfda607ad080861cce8c4d505bf5bdbd09bfe7a59b6d4af94514cd5b78c48fcf4739f9d2e46cd98c81097da6151e98454e6ab97
-
SSDEEP
3072:DQ8Jstxp5/YDHh8fzYQYwRVyv6MIWoy+hdEdZTpDbexB7sg+Rhtk7v:UBxpkhFQt4v67oA6rgsrIL
Malware Config
Signatures
-
Detected phishing page
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e1667ee4.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e1667ee = "C:\\e1667ee4\\e1667ee4.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*1667ee = "C:\\e1667ee4\\e1667ee4.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e1667ee4 = "C:\\Users\\Admin\\AppData\\Roaming\\e1667ee4.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*1667ee4 = "C:\\Users\\Admin\\AppData\\Roaming\\e1667ee4.exe" explorer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-addr.es 11 ip-addr.es -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
20A565943964AC488DCCCCB0F12092DB.exeexplorer.exepid process 4828 20A565943964AC488DCCCCB0F12092DB.exe 1500 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
20A565943964AC488DCCCCB0F12092DB.exeexplorer.exedescription pid process target process PID 4828 wrote to memory of 1500 4828 20A565943964AC488DCCCCB0F12092DB.exe explorer.exe PID 4828 wrote to memory of 1500 4828 20A565943964AC488DCCCCB0F12092DB.exe explorer.exe PID 4828 wrote to memory of 1500 4828 20A565943964AC488DCCCCB0F12092DB.exe explorer.exe PID 1500 wrote to memory of 4312 1500 explorer.exe svchost.exe PID 1500 wrote to memory of 4312 1500 explorer.exe svchost.exe PID 1500 wrote to memory of 4312 1500 explorer.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20A565943964AC488DCCCCB0F12092DB.exe"C:\Users\Admin\AppData\Local\Temp\20A565943964AC488DCCCCB0F12092DB.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1500-134-0x0000000000000000-mapping.dmp
-
memory/1500-136-0x0000000000EC0000-0x0000000000EE5000-memory.dmpFilesize
148KB
-
memory/4312-137-0x0000000000000000-mapping.dmp
-
memory/4312-138-0x0000000000750000-0x0000000000775000-memory.dmpFilesize
148KB
-
memory/4312-139-0x0000000000750000-0x0000000000775000-memory.dmpFilesize
148KB
-
memory/4828-132-0x0000000002190000-0x00000000021B2000-memory.dmpFilesize
136KB
-
memory/4828-133-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4828-135-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB