Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2023 11:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
02696699.exe
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
02696699.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
02696699.exe
-
Size
923KB
-
MD5
0c0827b80b8450ed442d0a5afbc1324c
-
SHA1
f212fc466d539f1b327e0f23269c4d2818e9bbfb
-
SHA256
96bb40eaf29d3619c016a62e397e02761e898f342ab4dfdb52232ceddc13846a
-
SHA512
75df0198b67109a5443c06e63c9ef145ae343c7519c9e2a4b7a06ddaf880c95a725ba223e2f183d52ee13f70c9a599e2b2ac2bcbc3d0510a4ef11941d7af118c
-
SSDEEP
6144:zuK8X8DB2w0M4/Pwj33eCWhBZMZ0AO5Z1YS:zgXWB0V/Pwj6LY
Score
10/10
Malware Config
Extracted
Family
systembc
C2
5.42.95.122:4308
194.87.111.29:4308
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe'\"" RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
02696699.exedescription pid process target process PID 2016 set thread context of 960 2016 02696699.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4604 2016 WerFault.exe 02696699.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
02696699.exedescription pid process target process PID 2016 wrote to memory of 960 2016 02696699.exe RegSvcs.exe PID 2016 wrote to memory of 960 2016 02696699.exe RegSvcs.exe PID 2016 wrote to memory of 960 2016 02696699.exe RegSvcs.exe PID 2016 wrote to memory of 960 2016 02696699.exe RegSvcs.exe PID 2016 wrote to memory of 960 2016 02696699.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02696699.exe"C:\Users\Admin\AppData\Local\Temp\02696699.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2016 -ip 20161⤵