Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2023 18:57
Static task
static1
Behavioral task
behavioral1
Sample
M7R79569.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
M7R79569.exe
Resource
win10v2004-20230221-en
General
-
Target
M7R79569.exe
-
Size
348KB
-
MD5
8c6810ccbf8b94ad18edabe648ffd504
-
SHA1
9f3770c114956fb31d04ec3020fe4da03a8ac2d4
-
SHA256
b8f848f137a23fe046b4701a67d07c8e7e1a8fdb066f318424caede7a1e69530
-
SHA512
7bf15296bbdce5aee540b9a6738c65a3f54b773f6aa50b27a98ad8c33544ff60625f650c8bb90fa17a0c60e8b799a88536f5609b41a94784fcb283b810f0b7b9
-
SSDEEP
6144:UMLeUFXXI8t9K/uN6qmhCaHA5DZNyI187cMsU5wgsbZv+:JesY8t9KQ6q9WAZNVOAzzr+
Malware Config
Extracted
zloader
CanadaLoads
Spam
https://23d8s23hs89j239sj23.com/jbYm9bt/NlGkb4ivk.php
https://3reh8rd23js9.com/jbYm9bt/NlGkb4ivk.php
https://4f394j89d3j4d89j34d.com/jbYm9bt/NlGkb4ivk.php
https://d823hrd9239sdj2.com/jbYm9bt/NlGkb4ivk.php
https://js823hs23js.com/jbYm9bt/NlGkb4ivk.php
https://oidjweidj34rd3.com/jbYm9bt/NlGkb4ivk.php
https://qwd8s3j8s23h8s.com/jbYm9bt/NlGkb4ivk.php
https://s28hs823hs823js.com/jbYm9bt/NlGkb4ivk.php
https://wd23h8qsh8qhs823qs.com/jbYm9bt/NlGkb4ivk.php
-
build_id
34
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nimacoxy = "C:\\Users\\Admin\\AppData\\Roaming\\Ebixys\\akgivoy.exe" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
M7R79569.exedescription pid process target process PID 3732 set thread context of 1312 3732 M7R79569.exe msiexec.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1020 3732 WerFault.exe M7R79569.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1312 msiexec.exe Token: SeSecurityPrivilege 1312 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
M7R79569.exedescription pid process target process PID 3732 wrote to memory of 1312 3732 M7R79569.exe msiexec.exe PID 3732 wrote to memory of 1312 3732 M7R79569.exe msiexec.exe PID 3732 wrote to memory of 1312 3732 M7R79569.exe msiexec.exe PID 3732 wrote to memory of 1312 3732 M7R79569.exe msiexec.exe PID 3732 wrote to memory of 1312 3732 M7R79569.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\M7R79569.exe"C:\Users\Admin\AppData\Local\Temp\M7R79569.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 4722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3732 -ip 37321⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1312-139-0x0000000000620000-0x0000000000652000-memory.dmpFilesize
200KB
-
memory/1312-142-0x0000000000620000-0x0000000000652000-memory.dmpFilesize
200KB
-
memory/1312-143-0x0000000000620000-0x0000000000652000-memory.dmpFilesize
200KB
-
memory/3732-134-0x0000000004980000-0x00000000049AE000-memory.dmpFilesize
184KB
-
memory/3732-135-0x0000000000400000-0x0000000002C41000-memory.dmpFilesize
40.3MB
-
memory/3732-140-0x0000000000400000-0x0000000002C41000-memory.dmpFilesize
40.3MB