Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 01:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
54e83679242abc2501f7851edd32fde2.exe
Resource
win7-20240704-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
54e83679242abc2501f7851edd32fde2.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
54e83679242abc2501f7851edd32fde2.exe
-
Size
636KB
-
MD5
54e83679242abc2501f7851edd32fde2
-
SHA1
32379dcb584649e850b45c7a5175adfe18c68e26
-
SHA256
4f17abc0223fa3aa403579c72fa11afce9984b99ff2ff577af18b1dc1432ce9e
-
SHA512
fd34cfb319f77e9b87c374cfbd35a933eecbdb6e4794424b99a17052f4f0d039b563f3c4afbdf8ecc282fc33ed4684e138f7da59597acf68f5eb91c678ba5be9
-
SSDEEP
12288:lNz7oWd0QTeku1LIVyL5oS1BedBE9P21YsoYAjK2vy3aWxOjJUf2xd2:lNzcC0cekMIVyL5oEBedBE9P21Vcvy3j
Score
8/10
Malware Config
Signatures
-
Manipulates Digital Signatures 1 TTPs 1 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "146944" aHmgYeGqHq63.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aHmgYeGqHq63 = "C:\\PROGRA~3\\aHmgYeGqHq63.exe" aHmgYeGqHq63.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\aHmgYeGqHq63 aHmgYeGqHq63.exe File opened for modification C:\PROGRA~3\aHmgYeGqHq63 aHmgYeGqHq63.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\Main aHmgYeGqHq63.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" aHmgYeGqHq63.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2652 54e83679242abc2501f7851edd32fde2.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 5112 aHmgYeGqHq63.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2652 54e83679242abc2501f7851edd32fde2.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe 5112 aHmgYeGqHq63.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2652 wrote to memory of 5112 2652 54e83679242abc2501f7851edd32fde2.exe 91 PID 2652 wrote to memory of 5112 2652 54e83679242abc2501f7851edd32fde2.exe 91 PID 2652 wrote to memory of 5112 2652 54e83679242abc2501f7851edd32fde2.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\54e83679242abc2501f7851edd32fde2.exe"C:\Users\Admin\AppData\Local\Temp\54e83679242abc2501f7851edd32fde2.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\PROGRA~3\aHmgYeGqHq63.exeC:\PROGRA~3\aHmgYeGqHq63.exe2⤵
- Manipulates Digital Signatures
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5112
-