Analysis
-
max time kernel
128s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 07:28
Static task
static1
Behavioral task
behavioral1
Sample
12255519906f8e866bec93da7a1a3794.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
12255519906f8e866bec93da7a1a3794.exe
Resource
win10v2004-20231215-en
General
-
Target
12255519906f8e866bec93da7a1a3794.exe
-
Size
58KB
-
MD5
12255519906f8e866bec93da7a1a3794
-
SHA1
d539c3b58dcef517cf7f4175431716e18723596a
-
SHA256
b9e21cf406067cab25e3f3ffa75d36f64990ed4ec9cee093caa862d92ac74d31
-
SHA512
ec7bb0845fd15d26cf93742f27dcb967c6b679c1608875120eda8b809566db8dd70204b494e5fe7fb9d6f33f3480990ddd00996b7b7fe88d69e8179778313d2a
-
SSDEEP
768:1zxzTK0TzGEabuRixyRVMkLOZM1KRgcxlPnJzAN7W1+ZhVSpHGStXxUe+WL8on:1zTL/RiofLOO10dHnZ8WAZhwpHxrsLQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2204 iexplore.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysint = "iexplore.exe" 12255519906f8e866bec93da7a1a3794.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\psinthk.dll 12255519906f8e866bec93da7a1a3794.exe File created C:\Windows\SysWOW64\iexplore.exe iexplore.exe File created C:\Windows\SysWOW64\iexplore.exe 12255519906f8e866bec93da7a1a3794.exe File opened for modification C:\Windows\SysWOW64\iexplore.exe 12255519906f8e866bec93da7a1a3794.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4060 12255519906f8e866bec93da7a1a3794.exe 4060 12255519906f8e866bec93da7a1a3794.exe 2204 iexplore.exe 2204 iexplore.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4060 wrote to memory of 2204 4060 12255519906f8e866bec93da7a1a3794.exe 52 PID 4060 wrote to memory of 2204 4060 12255519906f8e866bec93da7a1a3794.exe 52 PID 4060 wrote to memory of 2204 4060 12255519906f8e866bec93da7a1a3794.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\12255519906f8e866bec93da7a1a3794.exe"C:\Users\Admin\AppData\Local\Temp\12255519906f8e866bec93da7a1a3794.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\iexplore.exeC:\Windows\system32\iexplore.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2204
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD512255519906f8e866bec93da7a1a3794
SHA1d539c3b58dcef517cf7f4175431716e18723596a
SHA256b9e21cf406067cab25e3f3ffa75d36f64990ed4ec9cee093caa862d92ac74d31
SHA512ec7bb0845fd15d26cf93742f27dcb967c6b679c1608875120eda8b809566db8dd70204b494e5fe7fb9d6f33f3480990ddd00996b7b7fe88d69e8179778313d2a