Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-03-2024 03:11
Behavioral task
behavioral1
Sample
b112a18ff573b178d747b3dabaf43cb0.exe
Resource
win7-20240221-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b112a18ff573b178d747b3dabaf43cb0.exe
Resource
win10v2004-20240226-en
15 signatures
150 seconds
General
-
Target
b112a18ff573b178d747b3dabaf43cb0.exe
-
Size
686KB
-
MD5
b112a18ff573b178d747b3dabaf43cb0
-
SHA1
ce315ae15ee19f1607ff2c6decbe7f5b2e400354
-
SHA256
aa542f2c7e095a2454833c52310da90fb5665099ad6bdd21e383e695de3afbcd
-
SHA512
3cd5602e08f30833473a88db56fa3afd0a448fd493ce77d60913cbf0a8b401a49a50697f421f773341d4a5b04debf09bb0727b251c2888f43bc9ed7f5fce6445
-
SSDEEP
12288:UcD663UqANQ4dLOSwCDfJqlE6uGiGSAlVLuBRzXA2oAMHVB66EYAUTS9D/ksSzQB:UxXLtwCc26uGi2VCHXSBzTaDMsAQR3
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
b112a18ff573b178d747b3dabaf43cb0.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run b112a18ff573b178d747b3dabaf43cb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Carpeta\\win32.exe" b112a18ff573b178d747b3dabaf43cb0.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run b112a18ff573b178d747b3dabaf43cb0.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Carpeta\\win32.exe" b112a18ff573b178d747b3dabaf43cb0.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
b112a18ff573b178d747b3dabaf43cb0.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} b112a18ff573b178d747b3dabaf43cb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\Carpeta\\win32.exe Restart" b112a18ff573b178d747b3dabaf43cb0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b112a18ff573b178d747b3dabaf43cb0.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Carpeta\\win32.exe" b112a18ff573b178d747b3dabaf43cb0.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Carpeta\\win32.exe" b112a18ff573b178d747b3dabaf43cb0.exe -
Drops file in Windows directory 2 IoCs
Processes:
b112a18ff573b178d747b3dabaf43cb0.exedescription ioc Process File created C:\Windows\Carpeta\win32.exe b112a18ff573b178d747b3dabaf43cb0.exe File opened for modification C:\Windows\Carpeta\win32.exe b112a18ff573b178d747b3dabaf43cb0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b112a18ff573b178d747b3dabaf43cb0.exepid Process 2192 b112a18ff573b178d747b3dabaf43cb0.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
b112a18ff573b178d747b3dabaf43cb0.exepid Process 2192 b112a18ff573b178d747b3dabaf43cb0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b112a18ff573b178d747b3dabaf43cb0.exedescription pid Process procid_target PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21 PID 2192 wrote to memory of 1232 2192 b112a18ff573b178d747b3dabaf43cb0.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\b112a18ff573b178d747b3dabaf43cb0.exe"C:\Users\Admin\AppData\Local\Temp\b112a18ff573b178d747b3dabaf43cb0.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1404
-
-