Analysis
-
max time kernel
102s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2023 17:24
Behavioral task
behavioral1
Sample
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe
Resource
win10v2004-20230221-en
General
-
Target
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe
-
Size
36KB
-
MD5
1830de40a67d611bef5a49baf0b59877
-
SHA1
ba582cfcf2509af03ff6a3d4a1969b33fba39394
-
SHA256
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4
-
SHA512
28151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e
-
SSDEEP
768:Z4yA4MJ31m5e1v6MrdDRo4dzz29CJvCJwWm:Z4tlj9rdDRosz29Vk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Apimousecheck.exepid process 1916 Apimousecheck.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/3648-133-0x0000000000ED0000-0x0000000000EE0000-memory.dmp agile_net C:\ProgramData\Api mouse check v6.70\Apimousecheck.exe agile_net C:\ProgramData\Api mouse check v6.70\Apimousecheck.exe agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Api mouse check v6.70 = "C:\\ProgramData\\Api mouse check v6.70\\Apimousecheck.exe" 37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Apimousecheck.exe37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Apimousecheck.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Apimousecheck.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 796 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exeApimousecheck.exepid process 3648 37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe 3648 37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe 3648 37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe 1916 Apimousecheck.exe 1916 Apimousecheck.exe 1916 Apimousecheck.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exeApimousecheck.exedescription pid process Token: SeDebugPrivilege 3648 37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe Token: SeDebugPrivilege 1916 Apimousecheck.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.execmd.exedescription pid process target process PID 3648 wrote to memory of 1520 3648 37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe cmd.exe PID 3648 wrote to memory of 1520 3648 37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe cmd.exe PID 1520 wrote to memory of 796 1520 cmd.exe timeout.exe PID 1520 wrote to memory of 796 1520 cmd.exe timeout.exe PID 1520 wrote to memory of 1896 1520 cmd.exe schtasks.exe PID 1520 wrote to memory of 1896 1520 cmd.exe schtasks.exe PID 1520 wrote to memory of 1916 1520 cmd.exe Apimousecheck.exe PID 1520 wrote to memory of 1916 1520 cmd.exe Apimousecheck.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe"C:\Users\Admin\AppData\Local\Temp\37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4.exe"1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp80CD.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /f /sc MINUTE /mo 5 /tn "Api mouse check v6.70" /tr "'C:\ProgramData\Api mouse check v6.70\Apimousecheck.exe"'3⤵
- Creates scheduled task(s)
-
C:\ProgramData\Api mouse check v6.70\Apimousecheck.exe"C:\ProgramData\Api mouse check v6.70\Apimousecheck.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Api mouse check v6.70\Apimousecheck.exeFilesize
36KB
MD51830de40a67d611bef5a49baf0b59877
SHA1ba582cfcf2509af03ff6a3d4a1969b33fba39394
SHA25637991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4
SHA51228151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e
-
C:\ProgramData\Api mouse check v6.70\Apimousecheck.exeFilesize
36KB
MD51830de40a67d611bef5a49baf0b59877
SHA1ba582cfcf2509af03ff6a3d4a1969b33fba39394
SHA25637991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4
SHA51228151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e
-
C:\Users\Admin\AppData\Local\Temp\tmp80CD.tmp.batFilesize
412B
MD576a15a9726d9f4bb2ad106cfea85c4b1
SHA121e4a062783a5757592a5352996250d6a32d7a91
SHA2564bb3ba91d6c6281035ed511de7ad103bc336013d30c0750b84991ef9466b7e7d
SHA512cf6ab0e6037c56a13facf8efdfe7c4c406a38a61d525af05d3c19ff62157728403a3ca464ad3d1cc0f655b192b9e08d0e0513db0aaaa4b00d52986de34fc6fbd
-
memory/1916-144-0x0000000002B30000-0x0000000002B40000-memory.dmpFilesize
64KB
-
memory/1916-145-0x0000000002B30000-0x0000000002B40000-memory.dmpFilesize
64KB
-
memory/3648-133-0x0000000000ED0000-0x0000000000EE0000-memory.dmpFilesize
64KB
-
memory/3648-134-0x000000001BD80000-0x000000001BD90000-memory.dmpFilesize
64KB