Analysis
-
max time kernel
248s -
max time network
232s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22-02-2022 13:18
Static task
static1
Behavioral task
behavioral1
Sample
6feeea94219e2b7ffd3837d784201bf28ffd7bc83706401bf656550485d899cc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
6feeea94219e2b7ffd3837d784201bf28ffd7bc83706401bf656550485d899cc.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
6feeea94219e2b7ffd3837d784201bf28ffd7bc83706401bf656550485d899cc.exe
Resource
win10v2004-en-20220113
General
-
Target
6feeea94219e2b7ffd3837d784201bf28ffd7bc83706401bf656550485d899cc.exe
-
Size
77KB
-
MD5
a9fa03b0ee47e03796efe60d4186c484
-
SHA1
52e788cac7568f07868f2a63e856baa19b5671c0
-
SHA256
6feeea94219e2b7ffd3837d784201bf28ffd7bc83706401bf656550485d899cc
-
SHA512
8e149c5568a22a2e18b37d7895465430bdf0af532fdba80a704c0f8eb52645162d880bf9322e8af0c9002e892f3b93e96c0ef103ce5044c449756c5d4834064d
Malware Config
Signatures
-
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 4792 svchost.exe Token: SeCreatePagefilePrivilege 4792 svchost.exe Token: SeShutdownPrivilege 4792 svchost.exe Token: SeCreatePagefilePrivilege 4792 svchost.exe Token: SeShutdownPrivilege 4792 svchost.exe Token: SeCreatePagefilePrivilege 4792 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6feeea94219e2b7ffd3837d784201bf28ffd7bc83706401bf656550485d899cc.exe"C:\Users\Admin\AppData\Local\Temp\6feeea94219e2b7ffd3837d784201bf28ffd7bc83706401bf656550485d899cc.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken