Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2023, 05:28
Behavioral task
behavioral1
Sample
f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe
Resource
win10v2004-20231127-en
General
-
Target
f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe
-
Size
11.5MB
-
MD5
e0ac8681c53c9caf51042246b15d122d
-
SHA1
90cf66858157540e6c39fb2c4b2d4562c16f935c
-
SHA256
f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973
-
SHA512
f970b3c3acc9aa1a026f9d3f4133e76e04fca86ea2e56db56b1de60dc15123f17caef8ff24a5b7eda8029026c73b2364695e9eebf2bad503c405f26dba98ce7c
-
SSDEEP
196608:HPCUhW2aj2/yZL8W/q2F54b85va9QX+9bueDD0z3au7fuCalZozAR8E:KEWD2/yKWqIuF9bnDD0jaouCzs
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4228 Patch.exe -
Loads dropped DLL 2 IoCs
pid Process 4228 Patch.exe 4228 Patch.exe -
resource yara_rule behavioral2/memory/3520-2-0x0000000000400000-0x0000000001939000-memory.dmp vmprotect behavioral2/memory/3520-1-0x0000000000400000-0x0000000001939000-memory.dmp vmprotect behavioral2/files/0x0006000000023204-16.dat vmprotect behavioral2/files/0x0006000000023204-17.dat vmprotect behavioral2/memory/4228-23-0x0000000000400000-0x0000000000EF0000-memory.dmp vmprotect behavioral2/memory/4228-27-0x0000000000400000-0x0000000000EF0000-memory.dmp vmprotect behavioral2/memory/4228-44-0x0000000000400000-0x0000000000EF0000-memory.dmp vmprotect behavioral2/memory/3520-48-0x0000000000400000-0x0000000001939000-memory.dmp vmprotect -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\ESPI11.dll Patch.exe File opened for modification C:\Windows\SysWOW64\ESPI11.dll Patch.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 4228 Patch.exe 4228 Patch.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 4228 Patch.exe 4228 Patch.exe 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 4228 Patch.exe 4228 Patch.exe 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 4228 Patch.exe 4228 Patch.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3520 wrote to memory of 4228 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 89 PID 3520 wrote to memory of 4228 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 89 PID 3520 wrote to memory of 4228 3520 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe"C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\Patch.exeC:\Users\Admin\AppData\Local\Temp\\Patch.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4228
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5c3adbb35a05b44bc877a895d273aa270
SHA18afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc
-
Filesize
120KB
MD5c3adbb35a05b44bc877a895d273aa270
SHA18afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc
-
Filesize
120KB
MD5c3adbb35a05b44bc877a895d273aa270
SHA18afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc
-
Filesize
6.1MB
MD5757d9e9d11e35d3763c07743fcc6e7ed
SHA12037c66cac11ab802065c4dcac9866d74bab41c5
SHA2560ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637
SHA5121f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1
-
Filesize
6.1MB
MD5757d9e9d11e35d3763c07743fcc6e7ed
SHA12037c66cac11ab802065c4dcac9866d74bab41c5
SHA2560ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637
SHA5121f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1
-
Filesize
120KB
MD5c3adbb35a05b44bc877a895d273aa270
SHA18afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc