Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10-06-2022 13:35
Static task
static1
Behavioral task
behavioral1
Sample
5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exe
Resource
win10v2004-20220414-en
General
-
Target
5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exe
-
Size
60KB
-
MD5
ff672b6d51815ef9c86e163bfd23f1a5
-
SHA1
e4a08257258bc59d67992d762d60ea34f08a6b9d
-
SHA256
5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace
-
SHA512
d957e4e27e6eb10de02d032fbba52918dc9aa67c350b593463e9756fc8c91208a2065d35f13585b60414df5e19ed5f68aadbcb69630fc02b9a0201761064fd57
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Program Files directory 1 IoCs
Processes:
5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exedescription ioc Process File created C:\Program Files (x86)\SysNt Corp\settings.ini 5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid Process Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: 33 1676 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1676 AUDIODG.EXE Token: 33 1676 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1676 AUDIODG.EXE Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe Token: SeShutdownPrivilege 1088 explorer.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
Processes:
explorer.exepid Process 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
explorer.exepid Process 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe 1088 explorer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exerunas.exeexplorer.exedescription pid Process procid_target PID 1960 wrote to memory of 532 1960 5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exe 28 PID 1960 wrote to memory of 532 1960 5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exe 28 PID 1960 wrote to memory of 532 1960 5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exe 28 PID 1960 wrote to memory of 532 1960 5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exe 28 PID 532 wrote to memory of 1088 532 runas.exe 29 PID 532 wrote to memory of 1088 532 runas.exe 29 PID 532 wrote to memory of 1088 532 runas.exe 29 PID 532 wrote to memory of 1088 532 runas.exe 29 PID 1088 wrote to memory of 1332 1088 explorer.exe 30 PID 1088 wrote to memory of 1332 1088 explorer.exe 30 PID 1088 wrote to memory of 1332 1088 explorer.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exe"C:\Users\Admin\AppData\Local\Temp\5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace.exe"1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\runas.exerunas /trustlevel:0x20000 C:\Windows\explorer.exe2⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\ctfmon.exectfmon.exe4⤵PID:1332
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x40c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676