Analysis
-
max time kernel
76s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 03:50
Static task
static1
Behavioral task
behavioral1
Sample
6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe
Resource
win10v2004-20220812-en
General
-
Target
6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe
-
Size
760KB
-
MD5
08331d69e2e3571168f2d8ee776d9fee
-
SHA1
958c7e75b127d0d3046bf9151262de561c92bdfc
-
SHA256
6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48
-
SHA512
dff5ebdf7b5678b281d7bd7e25f1ac95bb758bcb8cd575a8ac8534d7b64db3e47b237698972f839d2554bbdb7d1ea4cfc00db9b7c1a18fcba8a59c1697422fad
-
SSDEEP
12288:HE4wxVCGSkyJoocXWr7Halo3nTlbZ7x+9Zm/p5r1EA2YdQEVfWSUJIFLxYBOss6O:HMQ4u+angzIQkUoD81RFip
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 276 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe -
Loads dropped DLL 6 IoCs
pid Process 1728 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 1728 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 276 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 276 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 276 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 824 dw20.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe = "C:\\Users\\Admin\\AppData\\Roaming\\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\\0.0.0.0\\6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe" 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1728 wrote to memory of 276 1728 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 28 PID 1728 wrote to memory of 276 1728 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 28 PID 1728 wrote to memory of 276 1728 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 28 PID 1728 wrote to memory of 276 1728 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 28 PID 276 wrote to memory of 824 276 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 29 PID 276 wrote to memory of 824 276 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 29 PID 276 wrote to memory of 824 276 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 29 PID 276 wrote to memory of 824 276 6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe"C:\Users\Admin\AppData\Local\Temp\6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exeC:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5603⤵
- Loads dropped DLL
PID:824
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe
Filesize760KB
MD508331d69e2e3571168f2d8ee776d9fee
SHA1958c7e75b127d0d3046bf9151262de561c92bdfc
SHA2566dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48
SHA512dff5ebdf7b5678b281d7bd7e25f1ac95bb758bcb8cd575a8ac8534d7b64db3e47b237698972f839d2554bbdb7d1ea4cfc00db9b7c1a18fcba8a59c1697422fad
-
C:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe
Filesize760KB
MD508331d69e2e3571168f2d8ee776d9fee
SHA1958c7e75b127d0d3046bf9151262de561c92bdfc
SHA2566dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48
SHA512dff5ebdf7b5678b281d7bd7e25f1ac95bb758bcb8cd575a8ac8534d7b64db3e47b237698972f839d2554bbdb7d1ea4cfc00db9b7c1a18fcba8a59c1697422fad
-
C:\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\User32.dll
Filesize18KB
MD55fa07d6c6384d703766d7935de68850e
SHA162f28a572b4d1d359db7017235912ad2599b8c1d
SHA256120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f
SHA5127775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4
-
\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe
Filesize760KB
MD508331d69e2e3571168f2d8ee776d9fee
SHA1958c7e75b127d0d3046bf9151262de561c92bdfc
SHA2566dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48
SHA512dff5ebdf7b5678b281d7bd7e25f1ac95bb758bcb8cd575a8ac8534d7b64db3e47b237698972f839d2554bbdb7d1ea4cfc00db9b7c1a18fcba8a59c1697422fad
-
\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe
Filesize760KB
MD508331d69e2e3571168f2d8ee776d9fee
SHA1958c7e75b127d0d3046bf9151262de561c92bdfc
SHA2566dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48
SHA512dff5ebdf7b5678b281d7bd7e25f1ac95bb758bcb8cd575a8ac8534d7b64db3e47b237698972f839d2554bbdb7d1ea4cfc00db9b7c1a18fcba8a59c1697422fad
-
\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\6dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48.exe
Filesize760KB
MD508331d69e2e3571168f2d8ee776d9fee
SHA1958c7e75b127d0d3046bf9151262de561c92bdfc
SHA2566dc12394c4706bc4ff9a2bb7cfe2d42bb5d536cd1190b2cfbe520f1dfb093c48
SHA512dff5ebdf7b5678b281d7bd7e25f1ac95bb758bcb8cd575a8ac8534d7b64db3e47b237698972f839d2554bbdb7d1ea4cfc00db9b7c1a18fcba8a59c1697422fad
-
\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\User32.dll
Filesize18KB
MD55fa07d6c6384d703766d7935de68850e
SHA162f28a572b4d1d359db7017235912ad2599b8c1d
SHA256120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f
SHA5127775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4
-
\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\User32.dll
Filesize18KB
MD55fa07d6c6384d703766d7935de68850e
SHA162f28a572b4d1d359db7017235912ad2599b8c1d
SHA256120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f
SHA5127775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4
-
\Users\Admin\AppData\Roaming\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\lwOcxluTOqsZtyHwcllkpMTaFSRhkn\0.0.0.0\User32.dll
Filesize18KB
MD55fa07d6c6384d703766d7935de68850e
SHA162f28a572b4d1d359db7017235912ad2599b8c1d
SHA256120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f
SHA5127775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4