Analysis
-
max time kernel
142s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
25/07/2023, 07:42
Static task
static1
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10v2004-20230703-en
General
-
Target
SOA.exe
-
Size
323KB
-
MD5
abfb9a130697d72c080b9611d6ea9353
-
SHA1
55eb6679cc759ec4c56e2049a63873a261f1ee99
-
SHA256
1011a1f84416383bfa9241516964b0d06ef81709b95677334fc65ff7b0323cf5
-
SHA512
db7550e0a1972bcc22cdba54be2601e86e02c718d32fbe045a8d667fb8e5b802aba6753c12e8a0c6f0d875f9e93374d091b5ab588ebd2803cc6b7ec11368a457
-
SSDEEP
6144:/Ya6CHF1HCJfL7UrQlxEXTdCte4+Tt3/mENe2VkHMOJ:/YEl1Hkj7U8XEJCteJx3e4iHMS
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1732 SOA.exe -
resource yara_rule behavioral1/memory/2032-63-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-65-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-67-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-70-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-71-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-72-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-73-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-74-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-75-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-76-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-77-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-78-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-79-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-80-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-81-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-82-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-83-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-84-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral1/memory/2032-85-0x0000000000400000-0x0000000000478000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhdmirbwgpluqa = "C:\\Users\\Admin\\AppData\\Roaming\\vrbkgoktdyirn\\wsclhqavfbkso.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SOA.exe\"" SOA.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1732 set thread context of 2032 1732 SOA.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2032 SOA.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1732 SOA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2032 SOA.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2032 1732 SOA.exe 28 PID 1732 wrote to memory of 2032 1732 SOA.exe 28 PID 1732 wrote to memory of 2032 1732 SOA.exe 28 PID 1732 wrote to memory of 2032 1732 SOA.exe 28 PID 1732 wrote to memory of 2032 1732 SOA.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5ea26ac454e1c4f39b0969a0b43325ac8
SHA12cdda560fc267f2319de8f0abbd72b9662b34b4d
SHA2567a7596d615e586b3accae15f1b98c86a6b2aeef4642915f150cf6930d3c136f7
SHA512fa871f6f349b70b144636010606c15a24e5be2f3a3544bc14e7d9bbb916caba65459c801fd7093aadb2b5ee1eb6e92180c72bed219f82f9f3382042c18113827
-
Filesize
16KB
MD5ea26ac454e1c4f39b0969a0b43325ac8
SHA12cdda560fc267f2319de8f0abbd72b9662b34b4d
SHA2567a7596d615e586b3accae15f1b98c86a6b2aeef4642915f150cf6930d3c136f7
SHA512fa871f6f349b70b144636010606c15a24e5be2f3a3544bc14e7d9bbb916caba65459c801fd7093aadb2b5ee1eb6e92180c72bed219f82f9f3382042c18113827