Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2023 19:53
Behavioral task
behavioral1
Sample
c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
Resource
win10v2004-20230220-en
General
-
Target
c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
-
Size
680KB
-
MD5
4513b1451a2a8957c42bbc09ee5c1046
-
SHA1
6b7f9fff14ce0cb8f60dbcd8be14100e3bea9081
-
SHA256
c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f
-
SHA512
df88a2dbd2a8439a455a8ebcababba542c39eaee337c7281bbcd71aa418d6e718722636c6102cbe9f69071fa7dda9df98a5cf2b3bdd46102a99e5ad0a905128e
-
SSDEEP
12288:gYFBsdyQrOz4uwSI+KoiwMZPzPFQuh3a7KWh0ZPPD5VoxtFakcekVMWkVKtI2i4:gfyaA75I+1gzPFQAyPhkXDCSBerW7i23
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\opfileOneA c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe File created \??\c:\windows\SysWOW64\opfileOneA c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe File created \??\c:\windows\SysWOW64\yytmp1\ywsinid.files\25.bmp c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe File created \??\c:\windows\SysWOW64\syys7.1.6.3.syw c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 6 IoCs
Processes:
c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8 c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\EditFlags = "65536" c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\EditFlags = "65536" c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\EditFlags = "65536" c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\isogg = "alrGady" c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exepid process 1964 c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe 1964 c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe"C:\Users\Admin\AppData\Local\Temp\c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1964