Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 02:06
Behavioral task
behavioral1
Sample
project v.exe
Resource
win7-20230220-en
windows7-x64
7 signatures
150 seconds
General
-
Target
project v.exe
-
Size
202KB
-
MD5
dedb988541ad7306237a7d5fd8fe3ebd
-
SHA1
627284d05db3ed4b5b5d06dd16e8f1f50a5bc828
-
SHA256
63cfb81660e9653af5355e501c2febe38e5fd01840e8ae389fb5750c1812d374
-
SHA512
b87a8e0b39af876474d706cce43b1e0129ccf0cd4899fb3507f83bd59f3343e922482a05706bfb79cba92c4d600e55239dfeff32b0e4a962d476183c43bcb588
-
SSDEEP
6144:wLV6Bta6dtJmakIM5ySxxV2Pvj3Y+w5AV:wLV6BtpmkY2PvTj
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
project v.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Host = "C:\\Program Files (x86)\\IMAP Host\\imaphost.exe" project v.exe -
Processes:
project v.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA project v.exe -
Drops file in Program Files directory 2 IoCs
Processes:
project v.exedescription ioc process File created C:\Program Files (x86)\IMAP Host\imaphost.exe project v.exe File opened for modification C:\Program Files (x86)\IMAP Host\imaphost.exe project v.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
project v.exepid process 544 project v.exe 544 project v.exe 544 project v.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
project v.exepid process 544 project v.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
project v.exedescription pid process Token: SeDebugPrivilege 544 project v.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\project v.exe"C:\Users\Admin\AppData\Local\Temp\project v.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/544-133-0x00000000017C0000-0x00000000017D0000-memory.dmpFilesize
64KB
-
memory/544-136-0x00000000017C0000-0x00000000017D0000-memory.dmpFilesize
64KB
-
memory/544-137-0x00000000017C0000-0x00000000017D0000-memory.dmpFilesize
64KB
-
memory/544-138-0x00000000017C0000-0x00000000017D0000-memory.dmpFilesize
64KB