Analysis
-
max time kernel
212s -
max time network
281s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05-04-2023 11:04
Behavioral task
behavioral1
Sample
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe
Resource
win7-20230220-en
General
-
Target
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe
-
Size
203KB
-
MD5
1e22a8cf1859f0d1a75e71d719ea989d
-
SHA1
74c8f071a1ecee655576adebe57dea9d1b28ed67
-
SHA256
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed
-
SHA512
bad49ab1ab9e0dc05076eba1103039f12ac73c3663d2b5aa27b9d565de8eec42f9e089fba59a0fa49acf757ee97c590855b3958b217a3c4608a6630d7320c7c3
-
SSDEEP
3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIvl4CGa26WwEx4JRCDqEvwtwQt:MLV6Bta6dtJmakIM544ba26SAED1wtDt
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Service = "C:\\Program Files (x86)\\IMAP Service\\imapsvc.exe" 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe -
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe -
Drops file in Program Files directory 2 IoCs
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exedescription ioc process File created C:\Program Files (x86)\IMAP Service\imapsvc.exe 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe File opened for modification C:\Program Files (x86)\IMAP Service\imapsvc.exe 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1020 schtasks.exe 2044 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exepid process 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exepid process 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exedescription pid process Token: SeDebugPrivilege 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exedescription pid process target process PID 1224 wrote to memory of 1020 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe PID 1224 wrote to memory of 1020 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe PID 1224 wrote to memory of 1020 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe PID 1224 wrote to memory of 1020 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe PID 1224 wrote to memory of 2044 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe PID 1224 wrote to memory of 2044 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe PID 1224 wrote to memory of 2044 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe PID 1224 wrote to memory of 2044 1224 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe"C:\Users\Admin\AppData\Local\Temp\1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "IMAP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1EA9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "IMAP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5ADE.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1EA9.tmpFilesize
1KB
MD57874fe7b7625be67910dcf6e30d9f02f
SHA1c31fb91af3ad2b26d05abcdaa5162a856a200a2b
SHA2568a8dff441220ec99772114013607f1e20c5de18d5aebec6d28cd15106725f6d7
SHA51251bd5f4ccc6e16cde02e93f74c44e3247f441990dfb8bd57be20c8fdadbdc008610581b5f58cff4a08a634dad09d11378691de3f59783c35664156e6351a8385
-
memory/1224-54-0x0000000000300000-0x0000000000340000-memory.dmpFilesize
256KB
-
memory/1224-59-0x0000000000300000-0x0000000000340000-memory.dmpFilesize
256KB