Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    10-06-2022 13:35

General

  • Target

    62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe

  • Size

    80KB

  • MD5

    9911fb71ef8b1a93c5c12f6b5c67c4c7

  • SHA1

    47a712dcb1d7b0e9b101646f55fead9855fd41fe

  • SHA256

    62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232

  • SHA512

    763c9a814d8407ffe5c3d4f71882184f5c44ab187f3639a484bcc8d09256964e20273b1691fa0b7f478dfb57c90ac673d9cc2359389d093d969326ae56911cb4

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe
    "C:\Users\Admin\AppData\Local\Temp\62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232.exe"
    1⤵
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\SysWOW64\runas.exe
      runas /trustlevel:0x20000 C:\Windows\explorer.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        3⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1804
        • C:\Windows\system32\ctfmon.exe
          ctfmon.exe
          4⤵
            PID:1196
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x508
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1544

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1196-59-0x0000000000000000-mapping.dmp
    • memory/1484-55-0x0000000000000000-mapping.dmp
    • memory/1804-57-0x0000000000000000-mapping.dmp
    • memory/1804-58-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp
      Filesize

      8KB

    • memory/1804-62-0x0000000002B50000-0x0000000002B60000-memory.dmp
      Filesize

      64KB

    • memory/1852-54-0x00000000753B1000-0x00000000753B3000-memory.dmp
      Filesize

      8KB

    • memory/1852-60-0x0000000074460000-0x0000000074A0B000-memory.dmp
      Filesize

      5.7MB

    • memory/1852-61-0x0000000074460000-0x0000000074A0B000-memory.dmp
      Filesize

      5.7MB