Analysis
-
max time kernel
67s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 03:17
Static task
static1
Behavioral task
behavioral1
Sample
73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe
Resource
win10v2004-20221111-en
General
-
Target
73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe
-
Size
660KB
-
MD5
c2ba961b46cf1102cff13d11bd86c476
-
SHA1
8f7dd5ed5fd681a9133811477804b159a7194f03
-
SHA256
73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412
-
SHA512
b1015bf422b1af6e2990ac00118000c74e0afb0b356f4102b1f07d2da50cc7d4b8d1aa483e777d87541a7c0733518b49db64262430b0b03721f4fd1858e32b67
-
SSDEEP
12288:jNKy4ghhHYVAe2Z4INVA3pbXB38Vo8pCqbja4TZeO8yc:74ghRYVAe2Z4IDA7sS8JzTZeOj
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1924 attrib.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\GooglePx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GooglePx.exe" 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1988 set thread context of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2012 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2012 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2012 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 2012 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 2012 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1988 wrote to memory of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 PID 1988 wrote to memory of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 PID 1988 wrote to memory of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 PID 1988 wrote to memory of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 PID 1988 wrote to memory of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 PID 1988 wrote to memory of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 PID 1988 wrote to memory of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 PID 1988 wrote to memory of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 PID 1988 wrote to memory of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 PID 1988 wrote to memory of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 PID 1988 wrote to memory of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 PID 1988 wrote to memory of 2012 1988 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 26 PID 2012 wrote to memory of 1924 2012 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 27 PID 2012 wrote to memory of 1924 2012 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 27 PID 2012 wrote to memory of 1924 2012 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 27 PID 2012 wrote to memory of 1924 2012 73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe 27 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1924 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe"C:\Users\Admin\AppData\Local\Temp\73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe"C:\Users\Admin\AppData\Local\Temp\73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe"2⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\attrib.exeattrib +r +s +h +a C:\Users\Admin\AppData\Local\Temp\GooglePx.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1924
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660KB
MD5c2ba961b46cf1102cff13d11bd86c476
SHA18f7dd5ed5fd681a9133811477804b159a7194f03
SHA25673ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412
SHA512b1015bf422b1af6e2990ac00118000c74e0afb0b356f4102b1f07d2da50cc7d4b8d1aa483e777d87541a7c0733518b49db64262430b0b03721f4fd1858e32b67