Analysis
-
max time kernel
137s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 16:46
Static task
static1
Behavioral task
behavioral1
Sample
9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe
Resource
win10v2004-20220901-en
General
-
Target
9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe
-
Size
1.2MB
-
MD5
f6a0a73b78217f2835a23153fbad16a5
-
SHA1
c2a7d33a635eb4f6daf32b75ac593b23905fec90
-
SHA256
9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1
-
SHA512
6de3695a625ef195730ed76a0149158a16a8e85e0dc12a8fc75b91d06f9f40b4642a16652f4b45caf262fa63da47a7b4ef0b6e4abb690caecfe5176c92582f9b
-
SSDEEP
12288:wBv7uOLX0KrNe6gtU4fujB8AJIzXwDdBhNYDf3t5:7eZrNt4fujjJYX4Yb3
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1412 xdkhEQk1M143lTuV.exe 820 xdkhEQk1M143lTuV.exe -
Deletes itself 1 IoCs
pid Process 820 xdkhEQk1M143lTuV.exe -
Loads dropped DLL 4 IoCs
pid Process 1992 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 1992 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 1992 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 820 xdkhEQk1M143lTuV.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\JGwEXYNB4Pfgo = "C:\\ProgramData\\w9KBNG0K\\xdkhEQk1M143lTuV.exe" 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 900 set thread context of 1992 900 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 27 PID 1412 set thread context of 820 1412 xdkhEQk1M143lTuV.exe 29 PID 820 set thread context of 324 820 xdkhEQk1M143lTuV.exe 30 -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 900 wrote to memory of 1992 900 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 27 PID 900 wrote to memory of 1992 900 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 27 PID 900 wrote to memory of 1992 900 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 27 PID 900 wrote to memory of 1992 900 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 27 PID 900 wrote to memory of 1992 900 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 27 PID 900 wrote to memory of 1992 900 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 27 PID 1992 wrote to memory of 1412 1992 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 28 PID 1992 wrote to memory of 1412 1992 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 28 PID 1992 wrote to memory of 1412 1992 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 28 PID 1992 wrote to memory of 1412 1992 9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe 28 PID 1412 wrote to memory of 820 1412 xdkhEQk1M143lTuV.exe 29 PID 1412 wrote to memory of 820 1412 xdkhEQk1M143lTuV.exe 29 PID 1412 wrote to memory of 820 1412 xdkhEQk1M143lTuV.exe 29 PID 1412 wrote to memory of 820 1412 xdkhEQk1M143lTuV.exe 29 PID 1412 wrote to memory of 820 1412 xdkhEQk1M143lTuV.exe 29 PID 1412 wrote to memory of 820 1412 xdkhEQk1M143lTuV.exe 29 PID 820 wrote to memory of 324 820 xdkhEQk1M143lTuV.exe 30 PID 820 wrote to memory of 324 820 xdkhEQk1M143lTuV.exe 30 PID 820 wrote to memory of 324 820 xdkhEQk1M143lTuV.exe 30 PID 820 wrote to memory of 324 820 xdkhEQk1M143lTuV.exe 30 PID 820 wrote to memory of 324 820 xdkhEQk1M143lTuV.exe 30 PID 820 wrote to memory of 324 820 xdkhEQk1M143lTuV.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe"C:\Users\Admin\AppData\Local\Temp\9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\Temp\9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe"C:\Users\Admin\AppData\Local\Temp\9907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\ProgramData\w9KBNG0K\xdkhEQk1M143lTuV.exe"C:\ProgramData\w9KBNG0K\xdkhEQk1M143lTuV.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\ProgramData\w9KBNG0K\xdkhEQk1M143lTuV.exe"C:\ProgramData\w9KBNG0K\xdkhEQk1M143lTuV.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Program Files (x86)\Internet Explorer\ExtExport.exe"C:\Program Files (x86)\Internet Explorer\ExtExport.exe" /i:8205⤵PID:324
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD54d6300c175199ed04b6b8aff12e69b86
SHA1ab2c792dc88471e1557213b2deed442c03372daf
SHA256fc7a9505b5029de6e4c72589af3124a8bf41c67174982cbcd0599944a6c602f5
SHA512eb172675925afc14ff150ab2858533d755fd0122f1bd427003aed1068f446bf5cdea6ff9bbb7345d38741c25c564e53cb3f689f8c4983cd834469246b833241f
-
Filesize
1.2MB
MD54d6300c175199ed04b6b8aff12e69b86
SHA1ab2c792dc88471e1557213b2deed442c03372daf
SHA256fc7a9505b5029de6e4c72589af3124a8bf41c67174982cbcd0599944a6c602f5
SHA512eb172675925afc14ff150ab2858533d755fd0122f1bd427003aed1068f446bf5cdea6ff9bbb7345d38741c25c564e53cb3f689f8c4983cd834469246b833241f
-
Filesize
1.2MB
MD54d6300c175199ed04b6b8aff12e69b86
SHA1ab2c792dc88471e1557213b2deed442c03372daf
SHA256fc7a9505b5029de6e4c72589af3124a8bf41c67174982cbcd0599944a6c602f5
SHA512eb172675925afc14ff150ab2858533d755fd0122f1bd427003aed1068f446bf5cdea6ff9bbb7345d38741c25c564e53cb3f689f8c4983cd834469246b833241f
-
Filesize
1.2MB
MD54d6300c175199ed04b6b8aff12e69b86
SHA1ab2c792dc88471e1557213b2deed442c03372daf
SHA256fc7a9505b5029de6e4c72589af3124a8bf41c67174982cbcd0599944a6c602f5
SHA512eb172675925afc14ff150ab2858533d755fd0122f1bd427003aed1068f446bf5cdea6ff9bbb7345d38741c25c564e53cb3f689f8c4983cd834469246b833241f
-
Filesize
1.2MB
MD54d6300c175199ed04b6b8aff12e69b86
SHA1ab2c792dc88471e1557213b2deed442c03372daf
SHA256fc7a9505b5029de6e4c72589af3124a8bf41c67174982cbcd0599944a6c602f5
SHA512eb172675925afc14ff150ab2858533d755fd0122f1bd427003aed1068f446bf5cdea6ff9bbb7345d38741c25c564e53cb3f689f8c4983cd834469246b833241f
-
Filesize
1.2MB
MD5f6a0a73b78217f2835a23153fbad16a5
SHA1c2a7d33a635eb4f6daf32b75ac593b23905fec90
SHA2569907b340c005e002e49d580a7758ab4474f968c607bb5871e5f3232cfef028f1
SHA5126de3695a625ef195730ed76a0149158a16a8e85e0dc12a8fc75b91d06f9f40b4642a16652f4b45caf262fa63da47a7b4ef0b6e4abb690caecfe5176c92582f9b
-
Filesize
1.2MB
MD54d6300c175199ed04b6b8aff12e69b86
SHA1ab2c792dc88471e1557213b2deed442c03372daf
SHA256fc7a9505b5029de6e4c72589af3124a8bf41c67174982cbcd0599944a6c602f5
SHA512eb172675925afc14ff150ab2858533d755fd0122f1bd427003aed1068f446bf5cdea6ff9bbb7345d38741c25c564e53cb3f689f8c4983cd834469246b833241f