Analysis
-
max time kernel
177s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 10:21
Static task
static1
Behavioral task
behavioral1
Sample
15bfe132c7e32d0b9d91ebfbde42d29a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
15bfe132c7e32d0b9d91ebfbde42d29a.exe
Resource
win10v2004-20231215-en
General
-
Target
15bfe132c7e32d0b9d91ebfbde42d29a.exe
-
Size
37KB
-
MD5
15bfe132c7e32d0b9d91ebfbde42d29a
-
SHA1
98bd7f4b3093f357e43f6d1f468a8bbe752ca8a2
-
SHA256
25d15839a9a39e238fa0845e0eb36d4b0918550b3d43bbd90ae73917177fa44b
-
SHA512
4e9221a81d65631b1798cd9499be9e75234f8d5e70b4d358c89290237619bc09391018db5409dbfa6738d15a18f0a8062b7e676222f4d19f0384b11c9192b411
-
SSDEEP
768:xn+fXxEvL3l6Gb3lYF29eO+DdUd/o++vA19lAivQqJWpvVte:xjvL3Aq3lY8H/kgAivEvVQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2244 ewyqww.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\ewyqww.exe 15bfe132c7e32d0b9d91ebfbde42d29a.exe File opened for modification C:\Windows\SysWOW64\ewyqww.exe 15bfe132c7e32d0b9d91ebfbde42d29a.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2244 set thread context of 1476 2244 ewyqww.exe 89 -
Program crash 1 IoCs
pid pid_target Process procid_target 2448 1476 WerFault.exe 89 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2008 15bfe132c7e32d0b9d91ebfbde42d29a.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2008 15bfe132c7e32d0b9d91ebfbde42d29a.exe 2008 15bfe132c7e32d0b9d91ebfbde42d29a.exe 2244 ewyqww.exe 2244 ewyqww.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2244 wrote to memory of 1476 2244 ewyqww.exe 89 PID 2244 wrote to memory of 1476 2244 ewyqww.exe 89 PID 2244 wrote to memory of 1476 2244 ewyqww.exe 89 PID 2244 wrote to memory of 1476 2244 ewyqww.exe 89 PID 2244 wrote to memory of 1476 2244 ewyqww.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\15bfe132c7e32d0b9d91ebfbde42d29a.exe"C:\Users\Admin\AppData\Local\Temp\15bfe132c7e32d0b9d91ebfbde42d29a.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2008
-
C:\Windows\SysWOW64\ewyqww.exeC:\Windows\SysWOW64\ewyqww.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:1476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 123⤵
- Program crash
PID:2448
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1476 -ip 14761⤵PID:4716
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD515bfe132c7e32d0b9d91ebfbde42d29a
SHA198bd7f4b3093f357e43f6d1f468a8bbe752ca8a2
SHA25625d15839a9a39e238fa0845e0eb36d4b0918550b3d43bbd90ae73917177fa44b
SHA5124e9221a81d65631b1798cd9499be9e75234f8d5e70b4d358c89290237619bc09391018db5409dbfa6738d15a18f0a8062b7e676222f4d19f0384b11c9192b411