Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
12-03-2024 02:35
Behavioral task
behavioral1
Sample
c23cf254ea9955ac6b67983995bdd11a.exe
Resource
win7-20240215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
c23cf254ea9955ac6b67983995bdd11a.exe
Resource
win10v2004-20240226-en
2 signatures
150 seconds
General
-
Target
c23cf254ea9955ac6b67983995bdd11a.exe
-
Size
55KB
-
MD5
c23cf254ea9955ac6b67983995bdd11a
-
SHA1
fcc1244a53e532a0994b81ee52daa03e1553d61d
-
SHA256
9b29bd1819fd48001b3ed2c9b7aa86e3a52a5d2a27693186908dc5fbcf1f5ff2
-
SHA512
9dc1ed32591c40f4183f630300f8c4c151666697646c7e8120a3e0f6e3529e7c6201325f0f7d2c6a366a660f95d56639f3dc61ad51dd27638eadb90859ef2808
-
SSDEEP
1536:b8rVMZt8VZ3dshVq1afWWgjNddzO6RT0iDjarVD:b8+cZNuq12mddzO6K
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\smss.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2264 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1756-0-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
c23cf254ea9955ac6b67983995bdd11a.exepid process 1756 c23cf254ea9955ac6b67983995bdd11a.exe 1756 c23cf254ea9955ac6b67983995bdd11a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c23cf254ea9955ac6b67983995bdd11a.exedescription pid process target process PID 1756 wrote to memory of 2264 1756 c23cf254ea9955ac6b67983995bdd11a.exe svchost.exe PID 1756 wrote to memory of 2264 1756 c23cf254ea9955ac6b67983995bdd11a.exe svchost.exe PID 1756 wrote to memory of 2264 1756 c23cf254ea9955ac6b67983995bdd11a.exe svchost.exe PID 1756 wrote to memory of 2264 1756 c23cf254ea9955ac6b67983995bdd11a.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c23cf254ea9955ac6b67983995bdd11a.exe"C:\Users\Admin\AppData\Local\Temp\c23cf254ea9955ac6b67983995bdd11a.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Adds policy Run key to start application
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1756-0-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1756-1-0x0000000000220000-0x0000000000224000-memory.dmpFilesize
16KB
-
memory/1756-2-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2264-4-0x0000000000740000-0x0000000000748000-memory.dmpFilesize
32KB
-
memory/2264-3-0x0000000000740000-0x0000000000748000-memory.dmpFilesize
32KB
-
memory/2264-8-0x0000000000030000-0x000000000003B000-memory.dmpFilesize
44KB
-
memory/2264-10-0x0000000000030000-0x000000000003B000-memory.dmpFilesize
44KB
-
memory/2264-9-0x0000000000080000-0x0000000000084000-memory.dmpFilesize
16KB
-
memory/2264-13-0x0000000000030000-0x000000000003B000-memory.dmpFilesize
44KB