Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2023, 07:42
Static task
static1
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10v2004-20230703-en
General
-
Target
SOA.exe
-
Size
323KB
-
MD5
abfb9a130697d72c080b9611d6ea9353
-
SHA1
55eb6679cc759ec4c56e2049a63873a261f1ee99
-
SHA256
1011a1f84416383bfa9241516964b0d06ef81709b95677334fc65ff7b0323cf5
-
SHA512
db7550e0a1972bcc22cdba54be2601e86e02c718d32fbe045a8d667fb8e5b802aba6753c12e8a0c6f0d875f9e93374d091b5ab588ebd2803cc6b7ec11368a457
-
SSDEEP
6144:/Ya6CHF1HCJfL7UrQlxEXTdCte4+Tt3/mENe2VkHMOJ:/YEl1Hkj7U8XEJCteJx3e4iHMS
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2788 SOA.exe -
resource yara_rule behavioral2/memory/4752-141-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-143-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-144-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-145-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-148-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-149-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-150-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-151-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-152-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-153-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-154-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-155-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-156-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-157-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-158-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-159-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-160-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-161-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-162-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4752-163-0x0000000000400000-0x0000000000478000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhdmirbwgpluqa = "C:\\Users\\Admin\\AppData\\Roaming\\vrbkgoktdyirn\\wsclhqavfbkso.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SOA.exe\"" SOA.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2788 set thread context of 4752 2788 SOA.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4752 SOA.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2788 SOA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4752 SOA.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2788 wrote to memory of 4752 2788 SOA.exe 86 PID 2788 wrote to memory of 4752 2788 SOA.exe 86 PID 2788 wrote to memory of 4752 2788 SOA.exe 86 PID 2788 wrote to memory of 4752 2788 SOA.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5ea26ac454e1c4f39b0969a0b43325ac8
SHA12cdda560fc267f2319de8f0abbd72b9662b34b4d
SHA2567a7596d615e586b3accae15f1b98c86a6b2aeef4642915f150cf6930d3c136f7
SHA512fa871f6f349b70b144636010606c15a24e5be2f3a3544bc14e7d9bbb916caba65459c801fd7093aadb2b5ee1eb6e92180c72bed219f82f9f3382042c18113827