dc2060e286f48048f8a12ed332bdfa12b3c53692beb06ebfa4d774009b272e56

Analysis

max time kernel
135s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

549422597b561cd4aab5dcdb810b2776.exe
Size

1.9MB
MD5

549422597b561cd4aab5dcdb810b2776
SHA1

5be64f8c3e2a0d6c0d9de93ef76dd6d0c8a6e0f1
SHA256

dc2060e286f48048f8a12ed332bdfa12b3c53692beb06ebfa4d774009b272e56
SHA512

332696bc3bfc44429f6386ea0ea253286f5608b9ed35dfe71551f6fa80780b3cf230858134ff212e0f01a2e2cc5ef581b78b2682cd5819f1396243cb55b2f002
SSDEEP

24576:N0fV6Lz9F0Yup//qA8EdXmX+5dqDGUSxCtxRMfaFIS/chlYJALELQgDWh0RWxKk:2fV6LzYdX7BdXmXYFXIx0anqh0I

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2380	Sky81C.tmp.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	549422597b561cd4aab5dcdb810b2776.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2364	549422597b561cd4aab5dcdb810b2776.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2364	549422597b561cd4aab5dcdb810b2776.exe
2364	549422597b561cd4aab5dcdb810b2776.exe
2364	549422597b561cd4aab5dcdb810b2776.exe
2364	549422597b561cd4aab5dcdb810b2776.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2380	2364	549422597b561cd4aab5dcdb810b2776.exe	28
PID 2364 wrote to memory of 2380	2364	549422597b561cd4aab5dcdb810b2776.exe	28
PID 2364 wrote to memory of 2380	2364	549422597b561cd4aab5dcdb810b2776.exe	28
PID 2364 wrote to memory of 2380	2364	549422597b561cd4aab5dcdb810b2776.exe	28

C:\Users\Admin\AppData\Local\Temp\549422597b561cd4aab5dcdb810b2776.exe
"C:\Users\Admin\AppData\Local\Temp\549422597b561cd4aab5dcdb810b2776.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\Sky81C.tmp.EXE
  "C:\Users\Admin\AppData\Local\Temp\Sky81C.tmp.EXE" 001042700063
  2⤵
  - Executes dropped EXE
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sky81C.tmp.EXE

Filesize
148KB

MD5
bfef9fc1435d730aaa1bf2a9ce13832b

SHA1
bd27bc0d5edab52c17a66befa59ce44411a4419d

SHA256
79f0bcfaee082a83e0b3e10f1bd567c98ac135cc15cb6e14c2a734b5f6f8fe10

SHA512
1316db558a3a4c58e1e348c661a8d4ea8a9ae03fb986cb5a1e81c5a642f2cec1cec22e30a701e23fd42118e1981c3915c40395663ff983d89dd85bbacb963a07

Download Submit
memory/2364-0-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2364-16-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download