Analysis
-
max time kernel
169s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 17:34
Static task
static1
Behavioral task
behavioral1
Sample
3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe
Resource
win7-20220414-en
General
-
Target
3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe
-
Size
861KB
-
MD5
4b95fa4786f5830cb7f0027f9d15adef
-
SHA1
feca329eaf6fabae376a15cf6908c2171fb86393
-
SHA256
3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b
-
SHA512
a712857ea1a0db3267644c07395662fe39ca0e519ca402e9c63dc1fa28c36f59b994700908cb3ea7d63437d7cc25bd0a8bfeffbb13364397eb570e94e4217a5a
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
installutil.exedescription pid Process procid_target PID 632 set thread context of 932 632 installutil.exe 32 -
Drops file in Windows directory 2 IoCs
Processes:
installutil.exedescription ioc Process File created C:\Windows\debug\WIA\SzXipsZcwgn.exe installutil.exe File opened for modification C:\Windows\debug\WIA\SzXipsZcwgn.exe installutil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
installutil.exepid Process 632 installutil.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
installutil.exeinstallutil.exedescription pid Process Token: SeDebugPrivilege 632 installutil.exe Token: SeDebugPrivilege 932 installutil.exe Token: 33 932 installutil.exe Token: SeIncBasePriorityPrivilege 932 installutil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
installutil.exepid Process 932 installutil.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exeinstallutil.exedescription pid Process procid_target PID 1832 wrote to memory of 632 1832 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe 28 PID 1832 wrote to memory of 632 1832 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe 28 PID 1832 wrote to memory of 632 1832 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe 28 PID 1832 wrote to memory of 632 1832 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe 28 PID 1832 wrote to memory of 632 1832 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe 28 PID 1832 wrote to memory of 632 1832 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe 28 PID 1832 wrote to memory of 632 1832 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe 28 PID 632 wrote to memory of 1792 632 installutil.exe 30 PID 632 wrote to memory of 1792 632 installutil.exe 30 PID 632 wrote to memory of 1792 632 installutil.exe 30 PID 632 wrote to memory of 1792 632 installutil.exe 30 PID 632 wrote to memory of 932 632 installutil.exe 32 PID 632 wrote to memory of 932 632 installutil.exe 32 PID 632 wrote to memory of 932 632 installutil.exe 32 PID 632 wrote to memory of 932 632 installutil.exe 32 PID 632 wrote to memory of 932 632 installutil.exe 32 PID 632 wrote to memory of 932 632 installutil.exe 32 PID 632 wrote to memory of 932 632 installutil.exe 32 PID 632 wrote to memory of 932 632 installutil.exe 32 PID 632 wrote to memory of 932 632 installutil.exe 32 PID 632 wrote to memory of 932 632 installutil.exe 32 PID 632 wrote to memory of 932 632 installutil.exe 32 PID 632 wrote to memory of 932 632 installutil.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzXipsZcwgn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AA4.tmp"3⤵
- Creates scheduled task(s)
PID:1792
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:932
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a9338171b45140f38858428d30278082
SHA11f33a6dbeb2cb60a1d47f116492e890ec366ca36
SHA256016876ac4eda3813361eb2808cabc5119cbfb93fb55766c064f24820f80456d3
SHA512ea19b4b01d6b6d5fb2a162fc00521dfbd0585393f24117d3d361a38cc5e0c815a49b877d11624a65cc03f87522f7209d4544f0aab69fd22061bd9bafa6f54a4c