Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe
Resource
win10v2004-20240426-en
General
-
Target
VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe
-
Size
358KB
-
MD5
86cb2b525e0d0bbf1351b11b4834bdd7
-
SHA1
22d77c58d1a7bc06adec09bca43668e5dc4241e2
-
SHA256
1e1939ea1961ee1e05285b2ba1a7b7f4e52c41724c8d6d256c2976ecdd919431
-
SHA512
95d4a2775f63ffac5db6a2b924a9fe4ac9ce0db7daa565b3f973db0dd03f222d7a90796cd4eb284aab3fd496d67976769c5f234914da40b2fe545a5d7c61926b
-
SSDEEP
6144:KjbeiH734HMnpRMID1aM1+9RXZE5Yel6ZVgtdKBfZDkZeFoS3RFDoxSuLH:KuLwprD1aAKZNQMnZDHFP3Xcn
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1328 M.exe 3384 M.exe -
resource yara_rule behavioral2/files/0x0009000000023424-5.dat upx behavioral2/memory/1328-7-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/1328-26-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Google_ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\M.exe" M.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1328 set thread context of 3384 1328 M.exe 81 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1328 M.exe 1328 M.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3384 M.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1328 M.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1444 wrote to memory of 1328 1444 VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe 80 PID 1444 wrote to memory of 1328 1444 VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe 80 PID 1444 wrote to memory of 1328 1444 VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe 80 PID 1328 wrote to memory of 3384 1328 M.exe 81 PID 1328 wrote to memory of 3384 1328 M.exe 81 PID 1328 wrote to memory of 3384 1328 M.exe 81 PID 1328 wrote to memory of 3384 1328 M.exe 81 PID 1328 wrote to memory of 3384 1328 M.exe 81 PID 1328 wrote to memory of 3384 1328 M.exe 81 PID 1328 wrote to memory of 3384 1328 M.exe 81 PID 1328 wrote to memory of 3384 1328 M.exe 81 PID 1328 wrote to memory of 3384 1328 M.exe 81 PID 1328 wrote to memory of 3384 1328 M.exe 81 PID 1328 wrote to memory of 3384 1328 M.exe 81 PID 1328 wrote to memory of 3384 1328 M.exe 81 PID 1328 wrote to memory of 3384 1328 M.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD535bbd7036c62eff49ab752a812f3f965
SHA17eed645d88ea1393003ac47a267e767f8a5b4ba1
SHA25651518fbf0bcfde548d96dfb815144c6af86a90f9ffafbf9cb3d75434813e134b
SHA512acbf7a3dc24442dda1188bfc533e138e59cd0169172ba58409128953dbae7d4c8953d9049fdaa8b9eb590783087374eb4353593862d952faa988d4e2e3796fa1
-
Filesize
104KB
MD57bae06cbe364bb42b8c34fcfb90e3ebd
SHA179129af7efa46244da0676607242f0a6b7e12e78
SHA2566ceaebd55b4a542ef64be1d6971fcfe802e67e2027366c52faacc8a8d325ec7a
SHA512c599b72500a5c17cd5c4a81fcf220a95925aa0e5ad72aa92dd1a469fe6e3c23590c548a0be7ec2c4dbd737511a0a79c1c46436867cf7f0c4df21f8dcea9686cf
-
Filesize
214KB
MD59b381b29157a3dcaa51d1d8d4fc8be43
SHA1f91810ceb1c4a7ee31d31b0d2c7b947388347734
SHA25689a98eb9e19a8158e9f9200e286f56043182ac9b2f5aeab00b5b6848797075da
SHA512e1ea9d244ed3fbad69f5489568857b679e122752da61e57c8e4d9e01a2360ffe9651cdd6e85d8513bf33dd7461d87c93644e5768b1aca65661ccb3662461d537