Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10-06-2022 13:35
Static task
static1
Behavioral task
behavioral1
Sample
62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe
Resource
win10v2004-20220414-en
General
-
Target
62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe
-
Size
80KB
-
MD5
9911fb71ef8b1a93c5c12f6b5c67c4c7
-
SHA1
47a712dcb1d7b0e9b101646f55fead9855fd41fe
-
SHA256
62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232
-
SHA512
763c9a814d8407ffe5c3d4f71882184f5c44ab187f3639a484bcc8d09256964e20273b1691fa0b7f478dfb57c90ac673d9cc2359389d093d969326ae56911cb4
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\SolidTechnology\config.cfg 62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1852 62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 1852 62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: 33 1544 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1544 AUDIODG.EXE Token: 33 1544 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1544 AUDIODG.EXE Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1852 wrote to memory of 1484 1852 62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe 29 PID 1852 wrote to memory of 1484 1852 62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe 29 PID 1852 wrote to memory of 1484 1852 62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe 29 PID 1852 wrote to memory of 1484 1852 62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe 29 PID 1484 wrote to memory of 1804 1484 runas.exe 30 PID 1484 wrote to memory of 1804 1484 runas.exe 30 PID 1484 wrote to memory of 1804 1484 runas.exe 30 PID 1484 wrote to memory of 1804 1484 runas.exe 30 PID 1804 wrote to memory of 1196 1804 explorer.exe 31 PID 1804 wrote to memory of 1196 1804 explorer.exe 31 PID 1804 wrote to memory of 1196 1804 explorer.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe"C:\Users\Admin\AppData\Local\Temp\62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe"1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\runas.exerunas /trustlevel:0x20000 C:\Windows\explorer.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\ctfmon.exectfmon.exe4⤵PID:1196
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544