Analysis
-
max time kernel
105s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2023 05:01
Behavioral task
behavioral1
Sample
e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe
Resource
win10v2004-20230220-en
General
-
Target
e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe
-
Size
2.2MB
-
MD5
2032bc30b58069c446007e2f8d91c75b
-
SHA1
beab01a5544464bb50f326d80fe450910b897d62
-
SHA256
e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1
-
SHA512
2989ac76eec170becd44776b555d701a0c48f985b9568ead52aeda188bc2e0d3a183ea7824d795951c10aead721210b71285eb2df6c77a638908c1ebbeae411d
-
SSDEEP
49152:GosN5uxEXiemlxN/jh8APpMvO7qM7D1MuGssjK3gyo4Bbir8OlgwSml:GosNYKX9Uxxh8kkCunL23foYzHml
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\SysWOW64\administratortestpermissions10041 cmd.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exepid process 4252 e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe 4252 e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe 4252 e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe 4252 e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe 4252 e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe 4252 e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exedescription pid process target process PID 4252 wrote to memory of 3384 4252 e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe cmd.exe PID 4252 wrote to memory of 3384 4252 e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe cmd.exe PID 4252 wrote to memory of 3384 4252 e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe"C:\Users\Admin\AppData\Local\Temp\e717bea129d5b3b17b1d7b59cb31782f2561e7c560e190003dce7c62ef44f8d1.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\cmd.execmd /c echo t>C:\Windows\system32\administratortestpermissions100412⤵
- Drops file in System32 directory
PID:3384
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\administratortestpermissions10041Filesize
3B
MD55696feb53a6ad364e3da313d7bb865c2
SHA143ac804404d56225c9e0e44018b43c0e46b4be53
SHA2569e8b03ea3b48312f8e3a15bec7aa85c96a362e2776ac6bc3dfd74a40022bcc8a
SHA512e4771bcec6bb86578ddb042a126683675e3cca83614f22bf44721b7cfddaa067ed162e692650e48a474d50e3de4728a6bfe4083500580998152cd2b4918b8516
-
memory/4252-133-0x0000000000400000-0x00000000009B5000-memory.dmpFilesize
5.7MB
-
memory/4252-134-0x0000000000400000-0x00000000009B5000-memory.dmpFilesize
5.7MB
-
memory/4252-135-0x0000000000400000-0x00000000009B5000-memory.dmpFilesize
5.7MB
-
memory/4252-136-0x0000000000400000-0x00000000009B5000-memory.dmpFilesize
5.7MB
-
memory/4252-137-0x0000000000400000-0x00000000009B5000-memory.dmpFilesize
5.7MB
-
memory/4252-138-0x0000000000400000-0x00000000009B5000-memory.dmpFilesize
5.7MB
-
memory/4252-139-0x0000000000400000-0x00000000009B5000-memory.dmpFilesize
5.7MB
-
memory/4252-145-0x0000000000400000-0x00000000009B5000-memory.dmpFilesize
5.7MB
-
memory/4252-146-0x0000000000400000-0x00000000009B5000-memory.dmpFilesize
5.7MB