Analysis
-
max time kernel
151s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-05-2021 12:00
Static task
static1
Behavioral task
behavioral1
Sample
b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe
Resource
win10v20210410
General
-
Target
b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe
-
Size
471KB
-
MD5
b6ea755015a6831da0d45300d8f1f121
-
SHA1
3c63a91abcb5827b250d71c810241433ec1f9635
-
SHA256
b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4
-
SHA512
4a166d9f9f7ca38e79c861a01d1ea977a86ac1c39929b7220415ee8319ae6ba637a808a88ba48097604de21d777bab9b10bc4bc9ab7016bded760d8f1fa3588b
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*" b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe -
Drops file in Drivers directory 2 IoCs
Processes:
b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exedescription ioc process File created C:\Windows\SysWOW64\drivers\spools.exe b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe File opened for modification C:\Windows\SysWOW64\drivers\spools.exe b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe -
Sets service image path in registry 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe" b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe" b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe -
Modifies registry class 1 IoCs
Processes:
b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*" b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exedescription pid process target process PID 1420 wrote to memory of 1472 1420 b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe reg.exe PID 1420 wrote to memory of 1472 1420 b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe reg.exe PID 1420 wrote to memory of 1472 1420 b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe reg.exe PID 1420 wrote to memory of 1472 1420 b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe"C:\Users\Admin\AppData\Local\Temp\b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe"1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f2⤵