Overview
overview
10Static
static
803ff897da4...b3.exe
windows7_x64
703ff897da4...b3.exe
windows10_x64
710493d98a6...41.exe
windows7_x64
710493d98a6...41.exe
windows10_x64
711747d3247...67.exe
windows7_x64
711747d3247...67.exe
windows10_x64
San11 Tc/D...eg.htm
windows7_x64
1San11 Tc/D...eg.htm
windows10_x64
1San11 Tc/DrvMgt.dll
windows7_x64
1San11 Tc/DrvMgt.dll
windows10_x64
1San11 Tc/L...es.exe
windows7_x64
1San11 Tc/L...es.exe
windows10_x64
1San11 Tc/S...er.exe
windows7_x64
1San11 Tc/S...er.exe
windows10_x64
1San11 Tc/S...er.exe
windows7_x64
1San11 Tc/S...er.exe
windows10_x64
1San11 Tc/S...YS.exe
windows7_x64
San11 Tc/S...YS.exe
windows10_x64
San11 Tc/San11.exe
windows7_x64
8San11 Tc/San11.exe
windows10_x64
8San11 Tc/san11pk.exe
windows7_x64
3San11 Tc/san11pk.exe
windows10_x64
1San11 Tc/�...��.exe
windows7_x64
3San11 Tc/�...��.exe
windows10_x64
1023c9e16cc6...7b.exe
windows7_x64
523c9e16cc6...7b.exe
windows10_x64
536a18ae31f...d0.exe
windows7_x64
736a18ae31f...d0.exe
windows10_x64
74109a062b3...d4.exe
windows7_x64
84109a062b3...d4.exe
windows10_x64
8CW3.exe
windows7_x64
1CW3.exe
windows10_x64
1Analysis
-
max time kernel
61s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 15:32
Static task
static1
Behavioral task
behavioral1
Sample
03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Resource
win10-en-20210920
Behavioral task
behavioral5
Sample
11747d3247254b7db3fb7d6b8c0b47d21546b208b1573a73ae20f46ca4131e67.exe
Resource
win7-en-20211014
Behavioral task
behavioral6
Sample
11747d3247254b7db3fb7d6b8c0b47d21546b208b1573a73ae20f46ca4131e67.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
San11 Tc/Doc/Reg/san11_reg.htm
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
San11 Tc/Doc/Reg/san11_reg.htm
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
San11 Tc/DrvMgt.dll
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
San11 Tc/DrvMgt.dll
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
San11 Tc/LinkSan11Res.exe
Resource
win7-en-20210920
Behavioral task
behavioral12
Sample
San11 Tc/LinkSan11Res.exe
Resource
win10-en-20211014
Behavioral task
behavioral13
Sample
San11 Tc/S11Launcher.exe
Resource
win7-en-20210920
Behavioral task
behavioral14
Sample
San11 Tc/S11Launcher.exe
Resource
win10-en-20210920
Behavioral task
behavioral15
Sample
San11 Tc/S11PKLauncher.exe
Resource
win7-en-20211014
Behavioral task
behavioral16
Sample
San11 Tc/S11PKLauncher.exe
Resource
win10-en-20210920
Behavioral task
behavioral17
Sample
San11 Tc/SECDRV.SYS.exe
Resource
win7-en-20211014
Behavioral task
behavioral18
Sample
San11 Tc/SECDRV.SYS.exe
Resource
win10-en-20210920
Behavioral task
behavioral19
Sample
San11 Tc/San11.exe
Resource
win7-en-20211014
Behavioral task
behavioral20
Sample
San11 Tc/San11.exe
Resource
win10-en-20210920
Behavioral task
behavioral21
Sample
San11 Tc/san11pk.exe
Resource
win7-en-20210920
Behavioral task
behavioral22
Sample
San11 Tc/san11pk.exe
Resource
win10-en-20211014
Behavioral task
behavioral23
Sample
San11 Tc/开始游戏.exe
Resource
win7-en-20210920
Behavioral task
behavioral24
Sample
San11 Tc/开始游戏.exe
Resource
win10-en-20211014
Behavioral task
behavioral25
Sample
23c9e16cc6549ca05d349e7d04805309171cfe8a8426cdb7376f2a41b757a67b.exe
Resource
win7-en-20210920
Behavioral task
behavioral26
Sample
23c9e16cc6549ca05d349e7d04805309171cfe8a8426cdb7376f2a41b757a67b.exe
Resource
win10-en-20211014
Behavioral task
behavioral27
Sample
36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Resource
win7-en-20210920
Behavioral task
behavioral28
Sample
36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Resource
win10-en-20210920
Behavioral task
behavioral29
Sample
4109a062b38d66ee7222cd984120e056acd0f5dad490c623f411c8abb18796d4.exe
Resource
win7-en-20211014
Behavioral task
behavioral30
Sample
4109a062b38d66ee7222cd984120e056acd0f5dad490c623f411c8abb18796d4.exe
Resource
win10-en-20210920
Behavioral task
behavioral31
Sample
CW3.exe
Resource
win7-en-20211014
Behavioral task
behavioral32
Sample
CW3.exe
Resource
win10-en-20210920
General
-
Target
03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe
-
Size
7.0MB
-
MD5
4374755e7ce0c9c64bc1425ae7167bbc
-
SHA1
e2a2fff655b93f687b9f28a52913ebe616a7ba54
-
SHA256
03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3
-
SHA512
873bf797f5b3bad34a3243b3dc15937832a0b3004da647e1a8020e47437609ab0791664158d7a9489f2cf6cf91daff59717f9160aa02eec27d41957fd91c6e23
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe -
Modifies registry class 9 IoCs
Processes:
03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InprocServer32 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InprocServer32\Class = "Microsoft.Vbe.Interop.VBProjectsClass" 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InprocServer32\14.0.0.0\Class = "Microsoft.Vbe.Interop.VBProjectsClass" 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500} 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InprocServer32\Assembly = "Microsoft.Vbe.Interop, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InprocServer32\RuntimeVersion = "v2.0.50727" 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InprocServer32\14.0.0.0 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D4EF29E-E31A-655C-FE52-D8BA485F1500}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Vbe.Interop, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exedescription pid process Token: 33 1536 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe Token: SeIncBasePriorityPrivilege 1536 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe Token: SeDebugPrivilege 1536 03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe"C:\Users\Admin\AppData\Local\Temp\03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe"1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1536-55-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/1536-56-0x00000000031E0000-0x00000000032D9000-memory.dmpFilesize
996KB
-
memory/1536-60-0x0000000000400000-0x0000000001762000-memory.dmpFilesize
19.4MB
-
memory/1536-61-0x0000000000400000-0x0000000001762000-memory.dmpFilesize
19.4MB
-
memory/1536-62-0x0000000000400000-0x0000000001762000-memory.dmpFilesize
19.4MB
-
memory/1536-63-0x0000000003EA0000-0x0000000003EC0000-memory.dmpFilesize
128KB
-
memory/1536-64-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB