Analysis
-
max time kernel
109s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 07:10
Static task
static1
Behavioral task
behavioral1
Sample
9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe
Resource
win10v2004-20220812-en
General
-
Target
9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe
-
Size
123KB
-
MD5
5aeed5c26fb1de17ddf507e2dd6b8d10
-
SHA1
15401bd26758df17b3c8e3b2381cd6146938e357
-
SHA256
9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c
-
SHA512
75be130ba502c6e16897338991336dce1c6d635b773cf644b6252474d9d751aa784513c129f3283ccfc7c3a553630d73cbb4ac5b187a4b168e13733123bd22c2
-
SSDEEP
3072:WTvKOafTSydNifRzrxQP/kYlL5ZSxBRe0snuyOFdzjs5ueaz:WTpySRfxQP/TlL5ZSxBRz1t5jsUP
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run 9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\NtWqIVLZEWZU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe" 9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job 9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe File opened for modification C:\Windows\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job 9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main 9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International 9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main 9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2016 9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe 1092 9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2016 9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe 2016 9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 692 wrote to memory of 1092 692 taskeng.exe 29 PID 692 wrote to memory of 1092 692 taskeng.exe 29 PID 692 wrote to memory of 1092 692 taskeng.exe 29 PID 692 wrote to memory of 1092 692 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe"C:\Users\Admin\AppData\Local\Temp\9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2016
-
C:\Windows\system32\taskeng.exetaskeng.exe {12851CBB-5E36-4618-BAEF-D7880265AC70} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exeC:\Users\Admin\AppData\Local\Temp\9d78d153f6621d72ae5e90e3f140059ae00f4b05c33dbff18333bbf3236c184c.exe2⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
PID:1092
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408B
MD59bedc64e86c2c7fe814819ef8891f9c1
SHA1557bc63cda19fa3e7d86f91ecb9be17ad71deb9c
SHA256ecd3d285e31f0834c4a1c8fc01a5f928188d3166c6b16e780ea3441eee552f39
SHA5121a53176bcb5e4003006f7337776f7f07b03d39cb767367e8f643011b496e50c792303197e244f54459106cfae991f84d09272a2bcea0b3dd1aa37871cdd7fbde