b5f1c27ecbba78618e5b0134bca4bf05141b767772c4856c8d21db49fd555095

Analysis

max time kernel
155s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5f1c27ecbba78618e5b0134bca4bf05141b767772c4856c8d21db49fd555095.exe
Size

303KB
MD5

ca38d458ca0f9124800d82272521350c
SHA1

188e5a7a19b4fe78f3669171a94817c854ad9306
SHA256

b5f1c27ecbba78618e5b0134bca4bf05141b767772c4856c8d21db49fd555095
SHA512

944a5c53e0baf7320ba350647fdbe99f773a319f6a2c05e5af73116391007a45913a0fd340b0d58effb52bc1ed6e804871b0f0cc2e60b092209fc4eebaacf70c
SSDEEP

6144:Jt9AuK7K47+46NvC24o3VO7fy9JT6RCFZL4w9rG8Fza+:fmHK47+M22mZp9rpz

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1656	isnego.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\Currentversion\Run	isnego.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{4CDAB5F0-556D-BCA0-9C47-614551B27B47} = "C:\\Users\\Admin\\AppData\\Roaming\\Asop\\isnego.exe"	isnego.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4772 set thread context of 2616	4772	b5f1c27ecbba78618e5b0134bca4bf05141b767772c4856c8d21db49fd555095.exe	81

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe
1656	isnego.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 1656	4772	b5f1c27ecbba78618e5b0134bca4bf05141b767772c4856c8d21db49fd555095.exe	80
PID 4772 wrote to memory of 1656	4772	b5f1c27ecbba78618e5b0134bca4bf05141b767772c4856c8d21db49fd555095.exe	80
PID 4772 wrote to memory of 1656	4772	b5f1c27ecbba78618e5b0134bca4bf05141b767772c4856c8d21db49fd555095.exe	80
PID 1656 wrote to memory of 2356	1656	isnego.exe	60
PID 1656 wrote to memory of 2356	1656	isnego.exe	60
PID 1656 wrote to memory of 2356	1656	isnego.exe	60
PID 1656 wrote to memory of 2356	1656	isnego.exe	60
PID 1656 wrote to memory of 2356	1656	isnego.exe	60
PID 1656 wrote to memory of 2388	1656	isnego.exe	59
PID 1656 wrote to memory of 2388	1656	isnego.exe	59
PID 1656 wrote to memory of 2388	1656	isnego.exe	59
PID 1656 wrote to memory of 2388	1656	isnego.exe	59
PID 1656 wrote to memory of 2388	1656	isnego.exe	59
PID 1656 wrote to memory of 2468	1656	isnego.exe	57
PID 1656 wrote to memory of 2468	1656	isnego.exe	57
PID 1656 wrote to memory of 2468	1656	isnego.exe	57
PID 1656 wrote to memory of 2468	1656	isnego.exe	57
PID 1656 wrote to memory of 2468	1656	isnego.exe	57
PID 1656 wrote to memory of 2640	1656	isnego.exe	26
PID 1656 wrote to memory of 2640	1656	isnego.exe	26
PID 1656 wrote to memory of 2640	1656	isnego.exe	26
PID 1656 wrote to memory of 2640	1656	isnego.exe	26
PID 1656 wrote to memory of 2640	1656	isnego.exe	26
PID 1656 wrote to memory of 3096	1656	isnego.exe	50
PID 1656 wrote to memory of 3096	1656	isnego.exe	50
PID 1656 wrote to memory of 3096	1656	isnego.exe	50
PID 1656 wrote to memory of 3096	1656	isnego.exe	50
PID 1656 wrote to memory of 3096	1656	isnego.exe	50
PID 1656 wrote to memory of 3288	1656	isnego.exe	49
PID 1656 wrote to memory of 3288	1656	isnego.exe	49
PID 1656 wrote to memory of 3288	1656	isnego.exe	49
PID 1656 wrote to memory of 3288	1656	isnego.exe	49
PID 1656 wrote to memory of 3288	1656	isnego.exe	49
PID 1656 wrote to memory of 3420	1656	isnego.exe	47
PID 1656 wrote to memory of 3420	1656	isnego.exe	47
PID 1656 wrote to memory of 3420	1656	isnego.exe	47
PID 1656 wrote to memory of 3420	1656	isnego.exe	47
PID 1656 wrote to memory of 3420	1656	isnego.exe	47
PID 1656 wrote to memory of 3508	1656	isnego.exe	27
PID 1656 wrote to memory of 3508	1656	isnego.exe	27
PID 1656 wrote to memory of 3508	1656	isnego.exe	27
PID 1656 wrote to memory of 3508	1656	isnego.exe	27
PID 1656 wrote to memory of 3508	1656	isnego.exe	27
PID 1656 wrote to memory of 3616	1656	isnego.exe	46
PID 1656 wrote to memory of 3616	1656	isnego.exe	46
PID 1656 wrote to memory of 3616	1656	isnego.exe	46
PID 1656 wrote to memory of 3616	1656	isnego.exe	46
PID 1656 wrote to memory of 3616	1656	isnego.exe	46
PID 1656 wrote to memory of 3808	1656	isnego.exe	45
PID 1656 wrote to memory of 3808	1656	isnego.exe	45
PID 1656 wrote to memory of 3808	1656	isnego.exe	45
PID 1656 wrote to memory of 3808	1656	isnego.exe	45
PID 1656 wrote to memory of 3808	1656	isnego.exe	45
PID 1656 wrote to memory of 4692	1656	isnego.exe	43
PID 1656 wrote to memory of 4692	1656	isnego.exe	43
PID 1656 wrote to memory of 4692	1656	isnego.exe	43
PID 1656 wrote to memory of 4692	1656	isnego.exe	43
PID 1656 wrote to memory of 4692	1656	isnego.exe	43
PID 1656 wrote to memory of 4772	1656	isnego.exe	79
PID 1656 wrote to memory of 4772	1656	isnego.exe	79
PID 1656 wrote to memory of 4772	1656	isnego.exe	79
PID 1656 wrote to memory of 4772	1656	isnego.exe	79
PID 1656 wrote to memory of 4772	1656	isnego.exe	79
PID 4772 wrote to memory of 2616	4772	b5f1c27ecbba78618e5b0134bca4bf05141b767772c4856c8d21db49fd555095.exe	81

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2640
- C:\Users\Admin\AppData\Local\Temp\b5f1c27ecbba78618e5b0134bca4bf05141b767772c4856c8d21db49fd555095.exe
  "C:\Users\Admin\AppData\Local\Temp\b5f1c27ecbba78618e5b0134bca4bf05141b767772c4856c8d21db49fd555095.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Users\Admin\AppData\Roaming\Asop\isnego.exe
    "C:\Users\Admin\AppData\Roaming\Asop\isnego.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp40358962.bat"
    3⤵
    PID:2616

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4692

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3096

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp40358962.bat

Filesize
307B

MD5
7c9f4a4348c83a0cffc1e3ee8b6aeb58

SHA1
08e0ac1f381def58c62432fcb301a5d98c81219d

SHA256
69fbfc0f4b3c1fc3ec9e2d08082980b1d13090f1fa4ca04986ca05da48ce8288

SHA512
03d4f1f6ff628ddabd96f5931598923320ec08c4dc1857c68b004394fe1ec2764be113a2d427db9f98a7520e4a5beb41fb1f86fadf69ceb5ba9f41ea9ed2fd85

Download Submit
C:\Users\Admin\AppData\Roaming\Asop\isnego.exe

Filesize
303KB

MD5
9ddf4207b4c4323fe9c963e27735ec00

SHA1
fb2d56897c9aca11abb53d229d35c2bdcce0b58e

SHA256
09627106e2c9e1e63dbce0917d387326e5a0a10b2ed3bf9b2b370e3d426863ce

SHA512
ca189cd525c489dfee18d9733e867b03fc835c5303995386d854ffb784de12bb5b313776c22c095b5ed5fc7aca9adc090d825b52f5764ab7b93c5bce66fe3684

Download Submit
C:\Users\Admin\AppData\Roaming\Asop\isnego.exe

Filesize
303KB

MD5
9ddf4207b4c4323fe9c963e27735ec00

SHA1
fb2d56897c9aca11abb53d229d35c2bdcce0b58e

SHA256
09627106e2c9e1e63dbce0917d387326e5a0a10b2ed3bf9b2b370e3d426863ce

SHA512
ca189cd525c489dfee18d9733e867b03fc835c5303995386d854ffb784de12bb5b313776c22c095b5ed5fc7aca9adc090d825b52f5764ab7b93c5bce66fe3684

Download Submit
memory/1656-144-0x00000000020E0000-0x0000000002126000-memory.dmp

Filesize
280KB

Download
memory/1656-159-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1656-145-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2616-158-0x00000000005D0000-0x0000000000616000-memory.dmp

Filesize
280KB

Download
memory/2616-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-148-0x00000000005D0000-0x0000000000616000-memory.dmp

Filesize
280KB

Download
memory/2616-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4772-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4772-146-0x00000000022F0000-0x0000000002336000-memory.dmp

Filesize
280KB

Download
memory/4772-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4772-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4772-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4772-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4772-132-0x0000000002220000-0x0000000002266000-memory.dmp

Filesize
280KB

Download
memory/4772-155-0x0000000002220000-0x0000000002266000-memory.dmp

Filesize
280KB

Download
memory/4772-156-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4772-134-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4772-135-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4772-133-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download