Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-05-2021 07:16
Static task
static1
Behavioral task
behavioral1
Sample
4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe
-
Size
722KB
-
MD5
744907fcecbf352318db5953d862fe98
-
SHA1
22cc67f8374704fb18b0fc7693ef39e41373abcb
-
SHA256
4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898
-
SHA512
36f7163f5e53abedf7c92c31b70e8d02e9bb22ded2c9bdeb4e696c64b35e42c0f40f79b16949c6b4b4d262c7de05a1fa9780ff22b781d98574217806cdfcbaab
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exedescription pid process target process PID 452 set thread context of 2024 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe iexplore.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeSecurityPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeTakeOwnershipPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeLoadDriverPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeSystemProfilePrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeSystemtimePrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeProfSingleProcessPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeIncBasePriorityPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeCreatePagefilePrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeBackupPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeRestorePrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeShutdownPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeDebugPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeSystemEnvironmentPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeChangeNotifyPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeRemoteShutdownPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeUndockPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeManageVolumePrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeImpersonatePrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeCreateGlobalPrivilege 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: 33 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: 34 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: 35 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe Token: SeIncreaseQuotaPrivilege 2024 iexplore.exe Token: SeSecurityPrivilege 2024 iexplore.exe Token: SeTakeOwnershipPrivilege 2024 iexplore.exe Token: SeLoadDriverPrivilege 2024 iexplore.exe Token: SeSystemProfilePrivilege 2024 iexplore.exe Token: SeSystemtimePrivilege 2024 iexplore.exe Token: SeProfSingleProcessPrivilege 2024 iexplore.exe Token: SeIncBasePriorityPrivilege 2024 iexplore.exe Token: SeCreatePagefilePrivilege 2024 iexplore.exe Token: SeBackupPrivilege 2024 iexplore.exe Token: SeRestorePrivilege 2024 iexplore.exe Token: SeShutdownPrivilege 2024 iexplore.exe Token: SeDebugPrivilege 2024 iexplore.exe Token: SeSystemEnvironmentPrivilege 2024 iexplore.exe Token: SeChangeNotifyPrivilege 2024 iexplore.exe Token: SeRemoteShutdownPrivilege 2024 iexplore.exe Token: SeUndockPrivilege 2024 iexplore.exe Token: SeManageVolumePrivilege 2024 iexplore.exe Token: SeImpersonatePrivilege 2024 iexplore.exe Token: SeCreateGlobalPrivilege 2024 iexplore.exe Token: 33 2024 iexplore.exe Token: 34 2024 iexplore.exe Token: 35 2024 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2024 iexplore.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exedescription pid process target process PID 452 wrote to memory of 2024 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe iexplore.exe PID 452 wrote to memory of 2024 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe iexplore.exe PID 452 wrote to memory of 2024 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe iexplore.exe PID 452 wrote to memory of 2024 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe iexplore.exe PID 452 wrote to memory of 2024 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe iexplore.exe PID 452 wrote to memory of 2024 452 4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe"C:\Users\Admin\AppData\Local\Temp\4f12b16b29502e793037b26141f99a2272965bbe237a3475243c5f19f6e6c898.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2024
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/452-60-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/452-64-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2024-61-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2024-62-0x000000000049F92C-mapping.dmp