Analysis
-
max time kernel
152s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2023 12:26
Behavioral task
behavioral1
Sample
0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe
Resource
win7-20230220-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe
-
Size
101KB
-
MD5
19d348cc489a13650ef2d851d80e0e93
-
SHA1
731fbf8c1efc0feab19204fcd32075a5d2f61aa9
-
SHA256
0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba
-
SHA512
d21172645a56ba78bae9a38a78182cc81f4725fe6b3af40b501527308628853ed74532cad11d136f90d23b9ced5ad7cbe905fbd32c48196478d30629808e428e
-
SSDEEP
3072:mLjsXANkR/fkfdWolI9AiDrV8MNBYahBxMGLnVK+vM:mslR/fURcAiDrV81ahBxMcKf
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
diagramplain.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 diagramplain.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE diagramplain.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies diagramplain.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 diagramplain.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
diagramplain.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix diagramplain.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" diagramplain.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" diagramplain.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
diagramplain.exepid process 2416 diagramplain.exe 2416 diagramplain.exe 2416 diagramplain.exe 2416 diagramplain.exe 2416 diagramplain.exe 2416 diagramplain.exe 2416 diagramplain.exe 2416 diagramplain.exe 2416 diagramplain.exe 2416 diagramplain.exe 2416 diagramplain.exe 2416 diagramplain.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exepid process 1572 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exediagramplain.exedescription pid process target process PID 4432 wrote to memory of 1572 4432 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe PID 4432 wrote to memory of 1572 4432 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe PID 4432 wrote to memory of 1572 4432 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe 0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe PID 4560 wrote to memory of 2416 4560 diagramplain.exe diagramplain.exe PID 4560 wrote to memory of 2416 4560 diagramplain.exe diagramplain.exe PID 4560 wrote to memory of 2416 4560 diagramplain.exe diagramplain.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe"C:\Users\Admin\AppData\Local\Temp\0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0c37754aa8f73ae35bac7d63387ebaa38ba2d5b133fd87e78e13fe11e56295ba.exe--134401062⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\diagramplain.exe"C:\Windows\SysWOW64\diagramplain.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\diagramplain.exe--62153ec92⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses