Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10-06-2022 13:35
Static task
static1
Behavioral task
behavioral1
Sample
73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe
Resource
win10v2004-20220414-en
General
-
Target
73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe
-
Size
536KB
-
MD5
cf27e0c4c038163aa9d3005963e221f8
-
SHA1
ba8f41d8372d99ba9c14af64d6a4a14098558625
-
SHA256
73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5
-
SHA512
b493a5b2b8463aded2883d7d6d65286ad512e57c84fbb761e7d4fb7634eb75fca2941826d02400b87995e4e755b29bbe00a7ef6bb6510f0cab980303a3a4336c
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Program Files directory 1 IoCs
Processes:
73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exedescription ioc Process File created C:\Program Files (x86)\SolidTechnology\config.cfg 73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exepid Process 1740 73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exeexplorer.exeAUDIODG.EXEdescription pid Process Token: SeDebugPrivilege 1740 73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: 33 1252 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1252 AUDIODG.EXE Token: 33 1252 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1252 AUDIODG.EXE Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe Token: SeShutdownPrivilege 2008 explorer.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
Processes:
explorer.exepid Process 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
Processes:
explorer.exepid Process 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exerunas.exeexplorer.exedescription pid Process procid_target PID 1740 wrote to memory of 2020 1740 73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe 29 PID 1740 wrote to memory of 2020 1740 73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe 29 PID 1740 wrote to memory of 2020 1740 73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe 29 PID 1740 wrote to memory of 2020 1740 73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe 29 PID 2020 wrote to memory of 2008 2020 runas.exe 30 PID 2020 wrote to memory of 2008 2020 runas.exe 30 PID 2020 wrote to memory of 2008 2020 runas.exe 30 PID 2020 wrote to memory of 2008 2020 runas.exe 30 PID 2008 wrote to memory of 528 2008 explorer.exe 31 PID 2008 wrote to memory of 528 2008 explorer.exe 31 PID 2008 wrote to memory of 528 2008 explorer.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe"C:\Users\Admin\AppData\Local\Temp\73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5.exe"1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\runas.exerunas /trustlevel:0x20000 C:\Windows\explorer.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\ctfmon.exectfmon.exe4⤵PID:528
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5241⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252