Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
07-07-2024 03:21
Behavioral task
behavioral1
Sample
c6176e81e5947895d0d1edcf7c9cbc3e9a0222111348e07f8a2e2cd0a4063c70.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c6176e81e5947895d0d1edcf7c9cbc3e9a0222111348e07f8a2e2cd0a4063c70.exe
Resource
win10v2004-20240704-en
General
-
Target
c6176e81e5947895d0d1edcf7c9cbc3e9a0222111348e07f8a2e2cd0a4063c70.exe
-
Size
45KB
-
MD5
45bbb202f5a2b868675cadc5c0a21504
-
SHA1
d13359c51764a482ec7c49b734f2d89b19520e56
-
SHA256
c6176e81e5947895d0d1edcf7c9cbc3e9a0222111348e07f8a2e2cd0a4063c70
-
SHA512
80f22064eaf620b2ea655dce70525d16d583659b757b928f87f1a53faa27576064733bf5caf12d1faac31c07e7e5d51330912807b5a073dc95feb8a7367349d8
-
SSDEEP
768:yhP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:+sWE9N5dFu53dsniQaB/xZ14n7zIF+qr
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2232-0-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\D03DA51F = "C:\\Users\\Admin\\AppData\\Roaming\\D03DA51F\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe 2332 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2332 winver.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
c6176e81e5947895d0d1edcf7c9cbc3e9a0222111348e07f8a2e2cd0a4063c70.exewinver.exedescription pid process target process PID 2232 wrote to memory of 2332 2232 c6176e81e5947895d0d1edcf7c9cbc3e9a0222111348e07f8a2e2cd0a4063c70.exe winver.exe PID 2232 wrote to memory of 2332 2232 c6176e81e5947895d0d1edcf7c9cbc3e9a0222111348e07f8a2e2cd0a4063c70.exe winver.exe PID 2232 wrote to memory of 2332 2232 c6176e81e5947895d0d1edcf7c9cbc3e9a0222111348e07f8a2e2cd0a4063c70.exe winver.exe PID 2232 wrote to memory of 2332 2232 c6176e81e5947895d0d1edcf7c9cbc3e9a0222111348e07f8a2e2cd0a4063c70.exe winver.exe PID 2232 wrote to memory of 2332 2232 c6176e81e5947895d0d1edcf7c9cbc3e9a0222111348e07f8a2e2cd0a4063c70.exe winver.exe PID 2332 wrote to memory of 1056 2332 winver.exe Explorer.EXE PID 2332 wrote to memory of 1032 2332 winver.exe Dwm.exe PID 2332 wrote to memory of 1056 2332 winver.exe Explorer.EXE PID 2332 wrote to memory of 1100 2332 winver.exe taskhost.exe PID 2332 wrote to memory of 1356 2332 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\c6176e81e5947895d0d1edcf7c9cbc3e9a0222111348e07f8a2e2cd0a4063c70.exe"C:\Users\Admin\AppData\Local\Temp\c6176e81e5947895d0d1edcf7c9cbc3e9a0222111348e07f8a2e2cd0a4063c70.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1032-27-0x00000000779A1000-0x00000000779A2000-memory.dmpFilesize
4KB
-
memory/1032-26-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1056-4-0x0000000002520000-0x0000000002526000-memory.dmpFilesize
24KB
-
memory/1056-3-0x0000000002520000-0x0000000002526000-memory.dmpFilesize
24KB
-
memory/1056-2-0x0000000002520000-0x0000000002526000-memory.dmpFilesize
24KB
-
memory/1056-28-0x00000000024C0000-0x00000000024C6000-memory.dmpFilesize
24KB
-
memory/1056-10-0x00000000779A1000-0x00000000779A2000-memory.dmpFilesize
4KB
-
memory/1056-20-0x00000000024C0000-0x00000000024C6000-memory.dmpFilesize
24KB
-
memory/1100-29-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1100-23-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1356-31-0x00000000779A1000-0x00000000779A2000-memory.dmpFilesize
4KB
-
memory/1356-30-0x00000000023C0000-0x00000000023C6000-memory.dmpFilesize
24KB
-
memory/1356-25-0x00000000023C0000-0x00000000023C6000-memory.dmpFilesize
24KB
-
memory/2232-12-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2232-13-0x0000000001F30000-0x0000000002930000-memory.dmpFilesize
10.0MB
-
memory/2232-0-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2232-5-0x0000000001F30000-0x0000000002930000-memory.dmpFilesize
10.0MB
-
memory/2232-1-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2332-11-0x0000000077950000-0x0000000077AF9000-memory.dmpFilesize
1.7MB
-
memory/2332-9-0x0000000077B4F000-0x0000000077B51000-memory.dmpFilesize
8KB
-
memory/2332-8-0x0000000077B4F000-0x0000000077B50000-memory.dmpFilesize
4KB
-
memory/2332-7-0x0000000077B50000-0x0000000077B51000-memory.dmpFilesize
4KB
-
memory/2332-6-0x0000000000120000-0x0000000000126000-memory.dmpFilesize
24KB
-
memory/2332-36-0x0000000000120000-0x0000000000126000-memory.dmpFilesize
24KB