Analysis
-
max time kernel
157s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 04:59
Static task
static1
Behavioral task
behavioral1
Sample
3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe
Resource
win10v2004-20221111-en
General
-
Target
3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe
-
Size
411KB
-
MD5
3313b1f293772f7310980f3b0ef93b90
-
SHA1
6e63c9cedb3cdfc35478979191a215ac9847afc9
-
SHA256
3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f
-
SHA512
2895fc2a8f9086a6546b960279c8644c21134ae990ba2e6674b35e31c726a5a37d28cfe83928560fe5be5d6330bc83477a8db6e11957178964c842cce8dd8b0f
-
SSDEEP
6144:9GK72EZbDOtFRJK4KRKivutOgKcIU4KAF7yHh3bM8:9pZbDGpiAHfOE5
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2088 xqfmmgKxZP3.exe 1528 xqfmmgKxZP3.exe -
Loads dropped DLL 4 IoCs
pid Process 536 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe 536 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe 1528 xqfmmgKxZP3.exe 1528 xqfmmgKxZP3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PVYwNXVFgaf5exl = "C:\\ProgramData\\aRiEGO9LZ1\\xqfmmgKxZP3.exe" 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2180 set thread context of 536 2180 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe 82 PID 2088 set thread context of 1528 2088 xqfmmgKxZP3.exe 84 PID 1528 set thread context of 3284 1528 xqfmmgKxZP3.exe 91 -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2180 wrote to memory of 536 2180 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe 82 PID 2180 wrote to memory of 536 2180 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe 82 PID 2180 wrote to memory of 536 2180 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe 82 PID 2180 wrote to memory of 536 2180 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe 82 PID 2180 wrote to memory of 536 2180 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe 82 PID 536 wrote to memory of 2088 536 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe 83 PID 536 wrote to memory of 2088 536 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe 83 PID 536 wrote to memory of 2088 536 3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe 83 PID 2088 wrote to memory of 1528 2088 xqfmmgKxZP3.exe 84 PID 2088 wrote to memory of 1528 2088 xqfmmgKxZP3.exe 84 PID 2088 wrote to memory of 1528 2088 xqfmmgKxZP3.exe 84 PID 2088 wrote to memory of 1528 2088 xqfmmgKxZP3.exe 84 PID 2088 wrote to memory of 1528 2088 xqfmmgKxZP3.exe 84 PID 1528 wrote to memory of 3284 1528 xqfmmgKxZP3.exe 91 PID 1528 wrote to memory of 3284 1528 xqfmmgKxZP3.exe 91 PID 1528 wrote to memory of 3284 1528 xqfmmgKxZP3.exe 91 PID 1528 wrote to memory of 3284 1528 xqfmmgKxZP3.exe 91 PID 1528 wrote to memory of 3284 1528 xqfmmgKxZP3.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe"C:\Users\Admin\AppData\Local\Temp\3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe"C:\Users\Admin\AppData\Local\Temp\3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:536 -
C:\ProgramData\aRiEGO9LZ1\xqfmmgKxZP3.exe"C:\ProgramData\aRiEGO9LZ1\xqfmmgKxZP3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\ProgramData\aRiEGO9LZ1\xqfmmgKxZP3.exe"C:\ProgramData\aRiEGO9LZ1\xqfmmgKxZP3.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" /i:15285⤵PID:3284
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD53313b1f293772f7310980f3b0ef93b90
SHA16e63c9cedb3cdfc35478979191a215ac9847afc9
SHA2563deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f
SHA5122895fc2a8f9086a6546b960279c8644c21134ae990ba2e6674b35e31c726a5a37d28cfe83928560fe5be5d6330bc83477a8db6e11957178964c842cce8dd8b0f
-
Filesize
411KB
MD53313b1f293772f7310980f3b0ef93b90
SHA16e63c9cedb3cdfc35478979191a215ac9847afc9
SHA2563deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f
SHA5122895fc2a8f9086a6546b960279c8644c21134ae990ba2e6674b35e31c726a5a37d28cfe83928560fe5be5d6330bc83477a8db6e11957178964c842cce8dd8b0f
-
Filesize
411KB
MD5122950be412044e5d4f9b0ee833b244f
SHA14118f43ef65de560de2be56e7000518536cfb32f
SHA256b2de47a062f1ec5acfb2253187b7977ec485c7793c638f75fc35036d34d5b6a9
SHA51251d487803a1914d97aad74d1eee3addc8aba0e2354ddeb188b171ea223cf4d85d80cc11528c5a0763208d1e04369472e99b974ac8db5a0fd43b1314b778c6e25
-
Filesize
411KB
MD5122950be412044e5d4f9b0ee833b244f
SHA14118f43ef65de560de2be56e7000518536cfb32f
SHA256b2de47a062f1ec5acfb2253187b7977ec485c7793c638f75fc35036d34d5b6a9
SHA51251d487803a1914d97aad74d1eee3addc8aba0e2354ddeb188b171ea223cf4d85d80cc11528c5a0763208d1e04369472e99b974ac8db5a0fd43b1314b778c6e25
-
Filesize
411KB
MD5122950be412044e5d4f9b0ee833b244f
SHA14118f43ef65de560de2be56e7000518536cfb32f
SHA256b2de47a062f1ec5acfb2253187b7977ec485c7793c638f75fc35036d34d5b6a9
SHA51251d487803a1914d97aad74d1eee3addc8aba0e2354ddeb188b171ea223cf4d85d80cc11528c5a0763208d1e04369472e99b974ac8db5a0fd43b1314b778c6e25
-
Filesize
411KB
MD5122950be412044e5d4f9b0ee833b244f
SHA14118f43ef65de560de2be56e7000518536cfb32f
SHA256b2de47a062f1ec5acfb2253187b7977ec485c7793c638f75fc35036d34d5b6a9
SHA51251d487803a1914d97aad74d1eee3addc8aba0e2354ddeb188b171ea223cf4d85d80cc11528c5a0763208d1e04369472e99b974ac8db5a0fd43b1314b778c6e25
-
Filesize
411KB
MD5122950be412044e5d4f9b0ee833b244f
SHA14118f43ef65de560de2be56e7000518536cfb32f
SHA256b2de47a062f1ec5acfb2253187b7977ec485c7793c638f75fc35036d34d5b6a9
SHA51251d487803a1914d97aad74d1eee3addc8aba0e2354ddeb188b171ea223cf4d85d80cc11528c5a0763208d1e04369472e99b974ac8db5a0fd43b1314b778c6e25