Analysis
-
max time kernel
225s -
max time network
336s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 18:57
Static task
static1
Behavioral task
behavioral1
Sample
6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe
Resource
win7-20221111-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe
-
Size
124KB
-
MD5
001fb5a2a2692152d744c16a28b8fd10
-
SHA1
a0b1302a667406bb5285a440bd269fa34f66683f
-
SHA256
6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae
-
SHA512
e677152eca1228c388e14c4fd110fc851b063b9dcba77225e9bbeffd37fa95925dad58b28db82f077d32662a0bd3b8ba236e9f4b08ae1a81e8f9f3717d2398a9
-
SSDEEP
1536:9P7LRKwWbYiVEub09/QKlqLQiSW1VevPQtqNk91l4PRDW8grcJXxbWAZRbnB4KSo:to5nDQKjWve2kd4PRDW8lJhrnB4K21s
Score
8/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1856-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1856-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1856-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1856-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1856-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1856-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1856-67-0x0000000010410000-0x0000000010445000-memory.dmp upx behavioral1/memory/1856-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1856-73-0x0000000010450000-0x0000000010485000-memory.dmp upx behavioral1/memory/1856-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1536-79-0x0000000010450000-0x0000000010485000-memory.dmp upx behavioral1/memory/1536-81-0x0000000010450000-0x0000000010485000-memory.dmp upx behavioral1/memory/1536-82-0x0000000010450000-0x0000000010485000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Spy-Net = "C:\\Windows\\system32\\Spy-Net\\server.exe" 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spy-Net = "C:\\Windows\\system32\\Spy-Net\\server.exe" 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\Spy-Net\server.exe 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe File opened for modification C:\Windows\SysWOW64\Spy-Net\server.exe 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe File opened for modification C:\Windows\SysWOW64\Spy-Net\plugin.dat 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe File opened for modification C:\Windows\SysWOW64\Spy-Net\ 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe File created C:\Windows\SysWOW64\Spy-Net\logs.dat 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe File opened for modification C:\Windows\SysWOW64\Spy-Net\logs.dat 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 560 set thread context of 1856 560 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1536 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe Token: SeDebugPrivilege 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe Token: SeDebugPrivilege 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe Token: SeDebugPrivilege 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe Token: SeDebugPrivilege 1536 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe Token: SeDebugPrivilege 1536 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 560 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 560 wrote to memory of 1856 560 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 28 PID 560 wrote to memory of 1856 560 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 28 PID 560 wrote to memory of 1856 560 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 28 PID 560 wrote to memory of 1856 560 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 28 PID 560 wrote to memory of 1856 560 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 28 PID 560 wrote to memory of 1856 560 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 28 PID 560 wrote to memory of 1856 560 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 28 PID 560 wrote to memory of 1856 560 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 28 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29 PID 1856 wrote to memory of 880 1856 6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe"C:\Users\Admin\AppData\Local\Temp\6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\AppData\Local\Temp\6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exeC:\Users\Admin\AppData\Local\Temp\6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:880
-
-
C:\Users\Admin\AppData\Local\Temp\6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exeC:\Users\Admin\AppData\Local\Temp\6dc3252168f0940d2b240ecbd9026ceaf431266941c484a141d26a34280ab8ae.exe3⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-