862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c

Analysis

max time kernel
134s
max time network
141s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 13:07 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe
Size

606KB
MD5

0acb3172631f0161d0f1504e44d922df
SHA1

a3ca1d6f2c67ca15ff6ae0b594a909fec14d6f42
SHA256

862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c
SHA512

c1e59d8293bd7faf69e2add8e8b97393060b2d7b3f0b57923d27a0050fc33fff8e97888c5f3167893b1d0e9a27f13eee491b1748234d2082c25b9de38aff3a95
SSDEEP

1536:xzWu+k+UHW8QkHnmpSbUhhFJrDnhH//pSzrcU:CUFISbUhhFJrDhH/BuI

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1128	94e8296.exe
1088	94e8296.exe

Loads dropped DLL 2 IoCs

pid	Process
1772	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe
1772	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\94e8296 = "C:\\Users\\Admin\\AppData\\Roaming\\94e8296\\94e8296.exe"	94e8296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\94e8296 = "C:\\Users\\Admin\\AppData\\Roaming\\94e8296\\94e8296.exe"	94e8296.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 1772	1584	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	26
PID 1128 set thread context of 1088	1128	94e8296.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	94e8296.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1772	1584	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	26
PID 1584 wrote to memory of 1772	1584	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	26
PID 1584 wrote to memory of 1772	1584	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	26
PID 1584 wrote to memory of 1772	1584	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	26
PID 1584 wrote to memory of 1772	1584	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	26
PID 1584 wrote to memory of 1772	1584	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	26
PID 1584 wrote to memory of 1772	1584	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	26
PID 1584 wrote to memory of 1772	1584	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	26
PID 1584 wrote to memory of 1772	1584	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	26
PID 1584 wrote to memory of 1772	1584	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	26
PID 1772 wrote to memory of 1128	1772	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	27
PID 1772 wrote to memory of 1128	1772	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	27
PID 1772 wrote to memory of 1128	1772	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	27
PID 1772 wrote to memory of 1128	1772	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	27
PID 1128 wrote to memory of 1088	1128	94e8296.exe	28
PID 1128 wrote to memory of 1088	1128	94e8296.exe	28
PID 1128 wrote to memory of 1088	1128	94e8296.exe	28
PID 1128 wrote to memory of 1088	1128	94e8296.exe	28
PID 1128 wrote to memory of 1088	1128	94e8296.exe	28
PID 1128 wrote to memory of 1088	1128	94e8296.exe	28
PID 1128 wrote to memory of 1088	1128	94e8296.exe	28
PID 1128 wrote to memory of 1088	1128	94e8296.exe	28
PID 1128 wrote to memory of 1088	1128	94e8296.exe	28
PID 1128 wrote to memory of 1088	1128	94e8296.exe	28
PID 1088 wrote to memory of 1960	1088	94e8296.exe	29
PID 1088 wrote to memory of 1960	1088	94e8296.exe	29
PID 1088 wrote to memory of 1960	1088	94e8296.exe	29
PID 1088 wrote to memory of 1960	1088	94e8296.exe	29
PID 1088 wrote to memory of 1960	1088	94e8296.exe	29
PID 1088 wrote to memory of 1960	1088	94e8296.exe	29

C:\Users\Admin\AppData\Local\Temp\862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe
"C:\Users\Admin\AppData\Local\Temp\862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe
  "C:\Users\Admin\AppData\Local\Temp\862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Roaming\94e8296\94e8296.exe
    "C:\Users\Admin\AppData\Roaming\94e8296\94e8296.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Users\Admin\AppData\Roaming\94e8296\94e8296.exe
      "C:\Users\Admin\AppData\Roaming\94e8296\94e8296.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Windows\syswow64\explorer.exe
        
        "C:\Windows\syswow64\explorer.exe"
        5⤵
        
        PID:1960

Network

DNS

ad.amneplay.com

explorer.exe

Remote address:

8.8.8.8:53

Request

ad.amneplay.com

IN A

Response
DNS

ad.tool2ago.com

explorer.exe

Remote address:

8.8.8.8:53

Request

ad.tool2ago.com

IN A

Response

No results found

8.8.8.8:53

ad.amneplay.com

dns

explorer.exe

61 B
134 B
1
1

DNS Request

ad.amneplay.com
8.8.8.8:53

ad.tool2ago.com

dns

explorer.exe

61 B
134 B
1
1

DNS Request

ad.tool2ago.com

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\94e8296\94e8296.exe

Filesize
606KB

MD5
0acb3172631f0161d0f1504e44d922df

SHA1
a3ca1d6f2c67ca15ff6ae0b594a909fec14d6f42

SHA256
862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c

SHA512
c1e59d8293bd7faf69e2add8e8b97393060b2d7b3f0b57923d27a0050fc33fff8e97888c5f3167893b1d0e9a27f13eee491b1748234d2082c25b9de38aff3a95

Download Submit
C:\Users\Admin\AppData\Roaming\94e8296\94e8296.exe

Filesize
606KB

MD5
0acb3172631f0161d0f1504e44d922df

SHA1
a3ca1d6f2c67ca15ff6ae0b594a909fec14d6f42

SHA256
862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c

SHA512
c1e59d8293bd7faf69e2add8e8b97393060b2d7b3f0b57923d27a0050fc33fff8e97888c5f3167893b1d0e9a27f13eee491b1748234d2082c25b9de38aff3a95

Download Submit
C:\Users\Admin\AppData\Roaming\94e8296\94e8296.exe

Filesize
606KB

MD5
0acb3172631f0161d0f1504e44d922df

SHA1
a3ca1d6f2c67ca15ff6ae0b594a909fec14d6f42

SHA256
862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c

SHA512
c1e59d8293bd7faf69e2add8e8b97393060b2d7b3f0b57923d27a0050fc33fff8e97888c5f3167893b1d0e9a27f13eee491b1748234d2082c25b9de38aff3a95

Download Submit
\Users\Admin\AppData\Roaming\94e8296\94e8296.exe

Filesize
606KB

MD5
0acb3172631f0161d0f1504e44d922df

SHA1
a3ca1d6f2c67ca15ff6ae0b594a909fec14d6f42

SHA256
862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c

SHA512
c1e59d8293bd7faf69e2add8e8b97393060b2d7b3f0b57923d27a0050fc33fff8e97888c5f3167893b1d0e9a27f13eee491b1748234d2082c25b9de38aff3a95

Download Submit
\Users\Admin\AppData\Roaming\94e8296\94e8296.exe

Filesize
606KB

MD5
0acb3172631f0161d0f1504e44d922df

SHA1
a3ca1d6f2c67ca15ff6ae0b594a909fec14d6f42

SHA256
862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c

SHA512
c1e59d8293bd7faf69e2add8e8b97393060b2d7b3f0b57923d27a0050fc33fff8e97888c5f3167893b1d0e9a27f13eee491b1748234d2082c25b9de38aff3a95

Download Submit
memory/1088-91-0x0000000001EB0000-0x0000000002031000-memory.dmp

Filesize
1.5MB

Download
memory/1088-97-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1088-92-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1128-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1128-75-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1584-54-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1584-69-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1772-68-0x0000000002050000-0x00000000021D1000-memory.dmp

Filesize
1.5MB

Download
memory/1772-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1772-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1772-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1772-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1772-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1772-74-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1772-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1772-66-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1772-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1960-99-0x00000000747F1000-0x00000000747F3000-memory.dmp

Filesize
8KB

Download
memory/1960-100-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download