Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12-06-2023 09:24
Static task
static1
Behavioral task
behavioral1
Sample
0c0827b80b8450ed442d0a5afbc1324c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0c0827b80b8450ed442d0a5afbc1324c.exe
Resource
win10v2004-20230221-en
General
-
Target
0c0827b80b8450ed442d0a5afbc1324c.exe
-
Size
923KB
-
MD5
0c0827b80b8450ed442d0a5afbc1324c
-
SHA1
f212fc466d539f1b327e0f23269c4d2818e9bbfb
-
SHA256
96bb40eaf29d3619c016a62e397e02761e898f342ab4dfdb52232ceddc13846a
-
SHA512
75df0198b67109a5443c06e63c9ef145ae343c7519c9e2a4b7a06ddaf880c95a725ba223e2f183d52ee13f70c9a599e2b2ac2bcbc3d0510a4ef11941d7af118c
-
SSDEEP
6144:zuK8X8DB2w0M4/Pwj33eCWhBZMZ0AO5Z1YS:zgXWB0V/Pwj6LY
Malware Config
Extracted
systembc
5.42.95.122:4308
194.87.111.29:4308
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe'\"" RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0c0827b80b8450ed442d0a5afbc1324c.exedescription pid process target process PID 1556 set thread context of 1456 1556 0c0827b80b8450ed442d0a5afbc1324c.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1208 1556 WerFault.exe 0c0827b80b8450ed442d0a5afbc1324c.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
0c0827b80b8450ed442d0a5afbc1324c.exedescription pid process target process PID 1556 wrote to memory of 1456 1556 0c0827b80b8450ed442d0a5afbc1324c.exe RegSvcs.exe PID 1556 wrote to memory of 1456 1556 0c0827b80b8450ed442d0a5afbc1324c.exe RegSvcs.exe PID 1556 wrote to memory of 1456 1556 0c0827b80b8450ed442d0a5afbc1324c.exe RegSvcs.exe PID 1556 wrote to memory of 1456 1556 0c0827b80b8450ed442d0a5afbc1324c.exe RegSvcs.exe PID 1556 wrote to memory of 1456 1556 0c0827b80b8450ed442d0a5afbc1324c.exe RegSvcs.exe PID 1556 wrote to memory of 1456 1556 0c0827b80b8450ed442d0a5afbc1324c.exe RegSvcs.exe PID 1556 wrote to memory of 1456 1556 0c0827b80b8450ed442d0a5afbc1324c.exe RegSvcs.exe PID 1556 wrote to memory of 1456 1556 0c0827b80b8450ed442d0a5afbc1324c.exe RegSvcs.exe PID 1556 wrote to memory of 1456 1556 0c0827b80b8450ed442d0a5afbc1324c.exe RegSvcs.exe PID 1556 wrote to memory of 1208 1556 0c0827b80b8450ed442d0a5afbc1324c.exe WerFault.exe PID 1556 wrote to memory of 1208 1556 0c0827b80b8450ed442d0a5afbc1324c.exe WerFault.exe PID 1556 wrote to memory of 1208 1556 0c0827b80b8450ed442d0a5afbc1324c.exe WerFault.exe PID 1556 wrote to memory of 1208 1556 0c0827b80b8450ed442d0a5afbc1324c.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0827b80b8450ed442d0a5afbc1324c.exe"C:\Users\Admin\AppData\Local\Temp\0c0827b80b8450ed442d0a5afbc1324c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 482⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1456-54-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1456-55-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1456-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1456-62-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1456-63-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB