Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-07-2024 18:39
Static task
static1
Behavioral task
behavioral1
Sample
036e19f0bedf8ccd4403759aef053130N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
036e19f0bedf8ccd4403759aef053130N.exe
Resource
win10v2004-20240709-en
General
-
Target
036e19f0bedf8ccd4403759aef053130N.exe
-
Size
68KB
-
MD5
036e19f0bedf8ccd4403759aef053130
-
SHA1
244fdc88a1c999ccaea4eb8f74be3101fdc0395e
-
SHA256
ac454fa278ee26a72d6720bac89bd4624d0e611afa1dae421a290454dc3848b3
-
SHA512
97c43c97fd8a89aa7d8ade1b9f98878b2015e09f8a4bbb48fc80efdb6a43e60cba542004e6e38e08db44f81a2ad30b1b3eb04dd73c7925992ea8b7db53344257
-
SSDEEP
768:9waGd7Lw/nrrxDL/GOv2/w6HSa0fYSPNZsxRXQ1d2yg/QmWKHZyiVlaW4OHZ0Em:947urp3v23HSa0AMNyfQ1d2y4Z4P
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\C53649C8 = "C:\\Users\\Admin\\AppData\\Roaming\\C53649C8\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe 2752 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2752 winver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
036e19f0bedf8ccd4403759aef053130N.exepid process 2348 036e19f0bedf8ccd4403759aef053130N.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
036e19f0bedf8ccd4403759aef053130N.exe036e19f0bedf8ccd4403759aef053130N.exewinver.exedescription pid process target process PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 2348 wrote to memory of 1940 2348 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 1940 wrote to memory of 2752 1940 036e19f0bedf8ccd4403759aef053130N.exe winver.exe PID 1940 wrote to memory of 2752 1940 036e19f0bedf8ccd4403759aef053130N.exe winver.exe PID 1940 wrote to memory of 2752 1940 036e19f0bedf8ccd4403759aef053130N.exe winver.exe PID 1940 wrote to memory of 2752 1940 036e19f0bedf8ccd4403759aef053130N.exe winver.exe PID 1940 wrote to memory of 2752 1940 036e19f0bedf8ccd4403759aef053130N.exe winver.exe PID 2752 wrote to memory of 1196 2752 winver.exe Explorer.EXE PID 2752 wrote to memory of 1084 2752 winver.exe taskhost.exe PID 2752 wrote to memory of 1144 2752 winver.exe Dwm.exe PID 2752 wrote to memory of 1196 2752 winver.exe Explorer.EXE PID 2752 wrote to memory of 548 2752 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\036e19f0bedf8ccd4403759aef053130N.exe"C:\Users\Admin\AppData\Local\Temp\036e19f0bedf8ccd4403759aef053130N.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\036e19f0bedf8ccd4403759aef053130N.exe"C:\Users\Admin\AppData\Local\Temp\036e19f0bedf8ccd4403759aef053130N.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/548-27-0x00000000022D0000-0x00000000022D7000-memory.dmpFilesize
28KB
-
memory/548-28-0x0000000077461000-0x0000000077462000-memory.dmpFilesize
4KB
-
memory/548-24-0x00000000022D0000-0x00000000022D7000-memory.dmpFilesize
28KB
-
memory/1084-17-0x0000000002090000-0x0000000002097000-memory.dmpFilesize
28KB
-
memory/1084-29-0x0000000002090000-0x0000000002097000-memory.dmpFilesize
28KB
-
memory/1144-25-0x0000000001F90000-0x0000000001F97000-memory.dmpFilesize
28KB
-
memory/1144-26-0x0000000077461000-0x0000000077462000-memory.dmpFilesize
4KB
-
memory/1144-19-0x0000000001F90000-0x0000000001F97000-memory.dmpFilesize
28KB
-
memory/1196-22-0x0000000002520000-0x0000000002527000-memory.dmpFilesize
28KB
-
memory/1196-30-0x0000000002520000-0x0000000002527000-memory.dmpFilesize
28KB
-
memory/1196-13-0x0000000077461000-0x0000000077462000-memory.dmpFilesize
4KB
-
memory/1196-6-0x0000000002510000-0x0000000002517000-memory.dmpFilesize
28KB
-
memory/1196-7-0x0000000002510000-0x0000000002517000-memory.dmpFilesize
28KB
-
memory/1196-10-0x0000000002510000-0x0000000002517000-memory.dmpFilesize
28KB
-
memory/1940-4-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1940-5-0x0000000000400000-0x0000000000404A00-memory.dmpFilesize
18KB
-
memory/2348-2-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB
-
memory/2348-3-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB
-
memory/2752-8-0x00000000001A0000-0x00000000001A7000-memory.dmpFilesize
28KB
-
memory/2752-12-0x0000000000FC0000-0x0000000000FD6000-memory.dmpFilesize
88KB
-
memory/2752-11-0x0000000000FC1000-0x0000000000FC2000-memory.dmpFilesize
4KB
-
memory/2752-14-0x0000000077410000-0x00000000775B9000-memory.dmpFilesize
1.7MB