Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-05-2023 12:26
Behavioral task
behavioral1
Sample
0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe
Resource
win7-20230220-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe
-
Size
101KB
-
MD5
19d348cc489a13650ef2d851d80e0e93
-
SHA1
731fbf8c1efc0feab19204fcd32075a5d2f61aa9
-
SHA256
0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba
-
SHA512
d21172645a56ba78bae9a38a78182cc81f4725fe6b3af40b501527308628853ed74532cad11d136f90d23b9ced5ad7cbe905fbd32c48196478d30629808e428e
-
SSDEEP
3072:mLjsXANkR/fkfdWolI9AiDrV8MNBYahBxMGLnVK+vM:mslR/fURcAiDrV81ahBxMcKf
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
plainmisc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat plainmisc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
plainmisc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FE882E73-3CC8-4FDA-A7F2-A714B921B146} plainmisc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-bc-a4-48-31-94\WpadDecisionReason = "1" plainmisc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections plainmisc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings plainmisc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 plainmisc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-bc-a4-48-31-94\WpadDecisionTime = 7065d8551f84d901 plainmisc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix plainmisc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" plainmisc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FE882E73-3CC8-4FDA-A7F2-A714B921B146}\WpadNetworkName = "Network 2" plainmisc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FE882E73-3CC8-4FDA-A7F2-A714B921B146}\WpadDecision = "0" plainmisc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-bc-a4-48-31-94 plainmisc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-bc-a4-48-31-94\WpadDecision = "0" plainmisc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" plainmisc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad plainmisc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FE882E73-3CC8-4FDA-A7F2-A714B921B146}\WpadDecisionReason = "1" plainmisc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 plainmisc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FE882E73-3CC8-4FDA-A7F2-A714B921B146}\WpadDecisionTime = 7065d8551f84d901 plainmisc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FE882E73-3CC8-4FDA-A7F2-A714B921B146}\8a-bc-a4-48-31-94 plainmisc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings plainmisc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 plainmisc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" plainmisc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
plainmisc.exepid process 1696 plainmisc.exe 1696 plainmisc.exe 1696 plainmisc.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exepid process 1616 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exeplainmisc.exedescription pid process target process PID 1520 wrote to memory of 1616 1520 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe PID 1520 wrote to memory of 1616 1520 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe PID 1520 wrote to memory of 1616 1520 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe PID 1520 wrote to memory of 1616 1520 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe PID 848 wrote to memory of 1696 848 plainmisc.exe plainmisc.exe PID 848 wrote to memory of 1696 848 plainmisc.exe plainmisc.exe PID 848 wrote to memory of 1696 848 plainmisc.exe plainmisc.exe PID 848 wrote to memory of 1696 848 plainmisc.exe plainmisc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe"C:\Users\Admin\AppData\Local\Temp\0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe--134401062⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\plainmisc.exe"C:\Windows\SysWOW64\plainmisc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\plainmisc.exe--81525acc2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses