Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-06-2022 13:39
Static task
static1
Behavioral task
behavioral1
Sample
aaf528c6e9dcc6876871abd209ae90a8.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
aaf528c6e9dcc6876871abd209ae90a8.exe
-
Size
3.8MB
-
MD5
aaf528c6e9dcc6876871abd209ae90a8
-
SHA1
9f6392d28cdf543b5508ce7e86f0dc26df53cc0c
-
SHA256
3d464460a5eca975b045bdf92d3cc2952047279a06a7d618c6ea2c8b66ddce2c
-
SHA512
11452d10f571800290880696695f4cadcf979558dc096df25f3b2f57622a62571b8836780c48f00989578c1d6ad7ee9f77dd7485115e7e221f5e245b43ae34ca
Score
10/10
Malware Config
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aaf528c6e9dcc6876871abd209ae90a8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\SignatureUpdate = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\SignatureUpdate.exe" aaf528c6e9dcc6876871abd209ae90a8.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
aaf528c6e9dcc6876871abd209ae90a8.exepid process 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
aaf528c6e9dcc6876871abd209ae90a8.exepid process 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aaf528c6e9dcc6876871abd209ae90a8.exedescription pid process Token: SeDebugPrivilege 324 aaf528c6e9dcc6876871abd209ae90a8.exe Token: SeShutdownPrivilege 324 aaf528c6e9dcc6876871abd209ae90a8.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
aaf528c6e9dcc6876871abd209ae90a8.exepid process 324 aaf528c6e9dcc6876871abd209ae90a8.exe 324 aaf528c6e9dcc6876871abd209ae90a8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaf528c6e9dcc6876871abd209ae90a8.exe"C:\Users\Admin\AppData\Local\Temp\aaf528c6e9dcc6876871abd209ae90a8.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/324-54-0x0000000075E51000-0x0000000075E53000-memory.dmpFilesize
8KB
-
memory/324-55-0x00000000003D0000-0x00000000003DA000-memory.dmpFilesize
40KB
-
memory/324-56-0x00000000003D0000-0x00000000003DA000-memory.dmpFilesize
40KB
-
memory/324-57-0x00000000003D0000-0x00000000003DA000-memory.dmpFilesize
40KB