Analysis
-
max time kernel
187s -
max time network
203s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08/05/2022, 06:12
Static task
static1
Behavioral task
behavioral1
Sample
9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe
Resource
win10v2004-20220414-en
General
-
Target
9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe
-
Size
4.0MB
-
MD5
6dd0f788355bfc2a0056ff45ef0f911f
-
SHA1
0e5ebd5437c8e09ad5fc7a26ccc6035648e6c28d
-
SHA256
9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336
-
SHA512
ac74b32121ae0f513b4cf75109243205243d093344bc55aa153dac2c82a48772eca1bb009fc09015d33691699ba81d2ad543906a08de8b474d057b112de7ae7f
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost.exe" 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 myexternalip.com 6 myexternalip.com 12 myexternalip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe -
Suspicious behavior: RenamesItself 21 IoCs
pid Process 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 1812 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe"C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1812