Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 03:57
Behavioral task
behavioral1
Sample
0da582b7d6cdf20189b6691fbf97baeb.exe
Resource
win7-20231215-en
6 signatures
150 seconds
General
-
Target
0da582b7d6cdf20189b6691fbf97baeb.exe
-
Size
282KB
-
MD5
0da582b7d6cdf20189b6691fbf97baeb
-
SHA1
aa93f91682748c3ccd89fb7a9198924fc8a5f5e9
-
SHA256
60298bdfe71a400ccbad7019ecbf567f42cff4e55fd43e37ba3ce884c889a290
-
SHA512
738f1f971e8cf31a82beb40b585b57d29a383a23769307fb1d01efa227f8c7499570c8fcd622fe412cdc96d1a63015d349ead878e0efca325f2bfcd29ae19ae2
-
SSDEEP
6144:FxJsGt6PHoxDNT/xQphU+jrlgzfuzt91C9NDyWId98HhqbxtHGZo:XJsGEH4h/xQp6+tqOYy9zo0x
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
0da582b7d6cdf20189b6691fbf97baeb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" 0da582b7d6cdf20189b6691fbf97baeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 0da582b7d6cdf20189b6691fbf97baeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" 0da582b7d6cdf20189b6691fbf97baeb.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 0da582b7d6cdf20189b6691fbf97baeb.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
0da582b7d6cdf20189b6691fbf97baeb.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{X8RA541Q-6OQ3-7J22-I40G-42J2IP81RXX5} 0da582b7d6cdf20189b6691fbf97baeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{X8RA541Q-6OQ3-7J22-I40G-42J2IP81RXX5}\StubPath = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe Restart" 0da582b7d6cdf20189b6691fbf97baeb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0da582b7d6cdf20189b6691fbf97baeb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Avirnt = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" 0da582b7d6cdf20189b6691fbf97baeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avgnt = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" 0da582b7d6cdf20189b6691fbf97baeb.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0da582b7d6cdf20189b6691fbf97baeb.exepid process 3068 0da582b7d6cdf20189b6691fbf97baeb.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
0da582b7d6cdf20189b6691fbf97baeb.exepid process 3068 0da582b7d6cdf20189b6691fbf97baeb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0da582b7d6cdf20189b6691fbf97baeb.exedescription pid process target process PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE PID 3068 wrote to memory of 1324 3068 0da582b7d6cdf20189b6691fbf97baeb.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\0da582b7d6cdf20189b6691fbf97baeb.exe"C:\Users\Admin\AppData\Local\Temp\0da582b7d6cdf20189b6691fbf97baeb.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵