Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 21:47
Behavioral task
behavioral1
Sample
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe
Resource
win10v2004-20240508-en
General
-
Target
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe
-
Size
60KB
-
MD5
086bc92d33eef1a2b85429e327c6c280
-
SHA1
3c35b99d55fa3aa88c3b1b09eb0911e7ba098063
-
SHA256
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087
-
SHA512
c33a4fa63bfc8f1de5d8fef8462ae28929c735add70006fc4357bbccfb25981080bc5ba42d5ef4169ed771f0b97a07791fbf44cbbbae84dc72b5a1fc51a7f20e
-
SSDEEP
768:R8kXsqXMRKbsc+nJUlez5eYEqT5yXsqJRU7ihG1gfFNsHWP4jBS:207bszJUyeYEocJiu4gfFi2+A
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1368-0-0x0000000000400000-0x0000000000410000-memory.dmp UPX behavioral1/memory/1368-5-0x0000000000400000-0x0000000000410000-memory.dmp UPX -
Processes:
resource yara_rule behavioral1/memory/1368-0-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/1368-5-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\5BB84654 = "C:\\Users\\Admin\\AppData\\Roaming\\5BB84654\\bin.exe" winver.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exedescription pid process target process PID 1368 set thread context of 2316 1368 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe 2796 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2796 winver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exepid process 1368 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exewinver.exedescription pid process target process PID 1368 wrote to memory of 2316 1368 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 1368 wrote to memory of 2316 1368 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 1368 wrote to memory of 2316 1368 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 1368 wrote to memory of 2316 1368 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 1368 wrote to memory of 2316 1368 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 1368 wrote to memory of 2316 1368 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 1368 wrote to memory of 2316 1368 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 2316 wrote to memory of 2796 2316 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe winver.exe PID 2316 wrote to memory of 2796 2316 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe winver.exe PID 2316 wrote to memory of 2796 2316 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe winver.exe PID 2316 wrote to memory of 2796 2316 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe winver.exe PID 2316 wrote to memory of 2796 2316 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe winver.exe PID 2796 wrote to memory of 1148 2796 winver.exe Explorer.EXE PID 2796 wrote to memory of 1068 2796 winver.exe taskhost.exe PID 2796 wrote to memory of 1108 2796 winver.exe Dwm.exe PID 2796 wrote to memory of 1148 2796 winver.exe Explorer.EXE PID 2796 wrote to memory of 2416 2796 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe"C:\Users\Admin\AppData\Local\Temp\52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe"C:\Users\Admin\AppData\Local\Temp\52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1068-17-0x0000000002070000-0x0000000002076000-memory.dmpFilesize
24KB
-
memory/1068-31-0x0000000002070000-0x0000000002076000-memory.dmpFilesize
24KB
-
memory/1108-29-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1108-19-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1108-30-0x0000000077591000-0x0000000077592000-memory.dmpFilesize
4KB
-
memory/1148-7-0x0000000002100000-0x0000000002106000-memory.dmpFilesize
24KB
-
memory/1148-6-0x0000000002100000-0x0000000002106000-memory.dmpFilesize
24KB
-
memory/1148-10-0x0000000002100000-0x0000000002106000-memory.dmpFilesize
24KB
-
memory/1148-13-0x0000000077591000-0x0000000077592000-memory.dmpFilesize
4KB
-
memory/1148-32-0x0000000002110000-0x0000000002116000-memory.dmpFilesize
24KB
-
memory/1148-21-0x0000000002110000-0x0000000002116000-memory.dmpFilesize
24KB
-
memory/1368-3-0x0000000000280000-0x0000000000290000-memory.dmpFilesize
64KB
-
memory/1368-0-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1368-5-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2316-4-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2416-33-0x0000000000100000-0x0000000000106000-memory.dmpFilesize
24KB
-
memory/2416-34-0x0000000077591000-0x0000000077592000-memory.dmpFilesize
4KB
-
memory/2416-24-0x0000000000100000-0x0000000000106000-memory.dmpFilesize
24KB
-
memory/2796-28-0x0000000077540000-0x00000000776E9000-memory.dmpFilesize
1.7MB
-
memory/2796-27-0x0000000000260000-0x0000000000266000-memory.dmpFilesize
24KB
-
memory/2796-11-0x0000000000F01000-0x0000000000F02000-memory.dmpFilesize
4KB
-
memory/2796-12-0x0000000000F00000-0x0000000000F16000-memory.dmpFilesize
88KB
-
memory/2796-8-0x0000000000120000-0x0000000000126000-memory.dmpFilesize
24KB
-
memory/2796-40-0x0000000000260000-0x0000000000266000-memory.dmpFilesize
24KB