Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 10:24
Behavioral task
behavioral1
Sample
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe
Resource
win10v2004-20240426-en
General
-
Target
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe
-
Size
60KB
-
MD5
086bc92d33eef1a2b85429e327c6c280
-
SHA1
3c35b99d55fa3aa88c3b1b09eb0911e7ba098063
-
SHA256
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087
-
SHA512
c33a4fa63bfc8f1de5d8fef8462ae28929c735add70006fc4357bbccfb25981080bc5ba42d5ef4169ed771f0b97a07791fbf44cbbbae84dc72b5a1fc51a7f20e
-
SSDEEP
768:R8kXsqXMRKbsc+nJUlez5eYEqT5yXsqJRU7ihG1gfFNsHWP4jBS:207bszJUyeYEocJiu4gfFi2+A
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2964-0-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2964-4-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\2AFE36D7 = "C:\\Users\\Admin\\AppData\\Roaming\\2AFE36D7\\bin.exe" winver.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exedescription pid process target process PID 2964 set thread context of 2196 2964 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe 1752 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 1752 winver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exepid process 2964 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exewinver.exedescription pid process target process PID 2964 wrote to memory of 2196 2964 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 2964 wrote to memory of 2196 2964 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 2964 wrote to memory of 2196 2964 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 2964 wrote to memory of 2196 2964 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 2964 wrote to memory of 2196 2964 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 2964 wrote to memory of 2196 2964 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 2964 wrote to memory of 2196 2964 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe PID 2196 wrote to memory of 1752 2196 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe winver.exe PID 2196 wrote to memory of 1752 2196 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe winver.exe PID 2196 wrote to memory of 1752 2196 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe winver.exe PID 2196 wrote to memory of 1752 2196 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe winver.exe PID 2196 wrote to memory of 1752 2196 52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe winver.exe PID 1752 wrote to memory of 1204 1752 winver.exe Explorer.EXE PID 1752 wrote to memory of 1120 1752 winver.exe taskhost.exe PID 1752 wrote to memory of 1176 1752 winver.exe Dwm.exe PID 1752 wrote to memory of 1204 1752 winver.exe Explorer.EXE PID 1752 wrote to memory of 1072 1752 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe"C:\Users\Admin\AppData\Local\Temp\52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe"C:\Users\Admin\AppData\Local\Temp\52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1072-23-0x0000000001B70000-0x0000000001B76000-memory.dmpFilesize
24KB
-
memory/1072-31-0x0000000001B70000-0x0000000001B76000-memory.dmpFilesize
24KB
-
memory/1072-32-0x0000000077A81000-0x0000000077A82000-memory.dmpFilesize
4KB
-
memory/1120-28-0x0000000077A81000-0x0000000077A82000-memory.dmpFilesize
4KB
-
memory/1120-16-0x0000000000310000-0x0000000000316000-memory.dmpFilesize
24KB
-
memory/1120-27-0x0000000000310000-0x0000000000316000-memory.dmpFilesize
24KB
-
memory/1176-19-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1176-33-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1204-5-0x00000000021A0000-0x00000000021A6000-memory.dmpFilesize
24KB
-
memory/1204-9-0x00000000021A0000-0x00000000021A6000-memory.dmpFilesize
24KB
-
memory/1204-30-0x00000000021B0000-0x00000000021B6000-memory.dmpFilesize
24KB
-
memory/1204-6-0x00000000021A0000-0x00000000021A6000-memory.dmpFilesize
24KB
-
memory/1204-12-0x0000000077A81000-0x0000000077A82000-memory.dmpFilesize
4KB
-
memory/1204-21-0x00000000021B0000-0x00000000021B6000-memory.dmpFilesize
24KB
-
memory/1752-11-0x00000000004E0000-0x00000000004F6000-memory.dmpFilesize
88KB
-
memory/1752-7-0x00000000000F0000-0x00000000000F6000-memory.dmpFilesize
24KB
-
memory/1752-29-0x0000000077A30000-0x0000000077BD9000-memory.dmpFilesize
1.7MB
-
memory/1752-26-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/1752-10-0x00000000004E1000-0x00000000004E2000-memory.dmpFilesize
4KB
-
memory/1752-39-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2196-3-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2964-0-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2964-4-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB