Analysis
-
max time kernel
190s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08/05/2022, 06:12
Static task
static1
Behavioral task
behavioral1
Sample
9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe
Resource
win10v2004-20220414-en
General
-
Target
9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe
-
Size
4.0MB
-
MD5
6dd0f788355bfc2a0056ff45ef0f911f
-
SHA1
0e5ebd5437c8e09ad5fc7a26ccc6035648e6c28d
-
SHA256
9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336
-
SHA512
ac74b32121ae0f513b4cf75109243205243d093344bc55aa153dac2c82a48772eca1bb009fc09015d33691699ba81d2ad543906a08de8b474d057b112de7ae7f
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost.exe" 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost.exeԀ" 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 72 myexternalip.com 84 api.ipify.org 87 myexternalip.com 101 myexternalip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe -
Suspicious behavior: RenamesItself 21 IoCs
pid Process 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe 4528 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe"C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4528