Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 01:55
Static task
static1
Behavioral task
behavioral1
Sample
2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe
-
Size
1.5MB
-
MD5
0e0ecb2edc7003d8a0dcfa95254a0802
-
SHA1
925edff7d2c5c742dfef70f1489a61479c3a14ae
-
SHA256
2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680
-
SHA512
1196a663e0c273f4bcc247c47104092510abe0daaca5272d904caf766b9432758f87e88605331ab58b2b387fbf052af04124572bb889b8aecb909a24bf02d2fb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RiBH.com.url 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exedescription pid Process procid_target PID 848 set thread context of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
InstallUtil.exepid Process 1100 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
InstallUtil.exedescription pid Process Token: SeDebugPrivilege 1100 InstallUtil.exe Token: 33 1100 InstallUtil.exe Token: SeIncBasePriorityPrivilege 1100 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
InstallUtil.exepid Process 1100 InstallUtil.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exedescription pid Process procid_target PID 848 wrote to memory of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26 PID 848 wrote to memory of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26 PID 848 wrote to memory of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26 PID 848 wrote to memory of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26 PID 848 wrote to memory of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26 PID 848 wrote to memory of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26 PID 848 wrote to memory of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26 PID 848 wrote to memory of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26 PID 848 wrote to memory of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26 PID 848 wrote to memory of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26 PID 848 wrote to memory of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26 PID 848 wrote to memory of 1100 848 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe"C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:560