Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10-06-2022 13:35
Static task
static1
Behavioral task
behavioral1
Sample
f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe
Resource
win10v2004-20220414-en
General
-
Target
f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe
-
Size
88KB
-
MD5
0e89298ac6003bda06ca607c17602f62
-
SHA1
fdafc549ef30db9c1d65dcbaaec43af6d7bf5ed4
-
SHA256
f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70
-
SHA512
440a587580b621a1dfbf03fa41ab18ee220c55395ab71836d86cfa6b3f489ac3fbf3b121efe2c62f07ca710b503e7d15ddea32e2cccd2dc13d16ea5c8a304d0e
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\SolidTechnology\config.cfg f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1708 f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 1708 f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: 33 1948 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1948 AUDIODG.EXE Token: 33 1948 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1948 AUDIODG.EXE Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1432 1708 f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe 28 PID 1708 wrote to memory of 1432 1708 f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe 28 PID 1708 wrote to memory of 1432 1708 f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe 28 PID 1708 wrote to memory of 1432 1708 f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe 28 PID 1432 wrote to memory of 1132 1432 runas.exe 29 PID 1432 wrote to memory of 1132 1432 runas.exe 29 PID 1432 wrote to memory of 1132 1432 runas.exe 29 PID 1432 wrote to memory of 1132 1432 runas.exe 29 PID 1132 wrote to memory of 988 1132 explorer.exe 30 PID 1132 wrote to memory of 988 1132 explorer.exe 30 PID 1132 wrote to memory of 988 1132 explorer.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe"C:\Users\Admin\AppData\Local\Temp\f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe"1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\runas.exerunas /trustlevel:0x20000 C:\Windows\explorer.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\ctfmon.exectfmon.exe4⤵PID:988
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948