Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 20:24
Static task
static1
Behavioral task
behavioral1
Sample
7e948ac0336182702bdc791b870dbff7.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
7e948ac0336182702bdc791b870dbff7.exe
-
Size
202KB
-
MD5
7e948ac0336182702bdc791b870dbff7
-
SHA1
f71f24607d8ac75e0fac19afa8a745aff1f628f2
-
SHA256
f64ef9de75ba297ed09efed49035c3035b4f5774da87cb74497302341d68054a
-
SHA512
ce19ee81457f884f75c34e86d06072b33056593c2760762051451a3766c8220622409ce489afccd4c5374b7d43d3e68acd1ff62796eb055351e71cca79349edc
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7e948ac0336182702bdc791b870dbff7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe" 7e948ac0336182702bdc791b870dbff7.exe -
Processes:
7e948ac0336182702bdc791b870dbff7.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7e948ac0336182702bdc791b870dbff7.exe -
Drops file in Program Files directory 2 IoCs
Processes:
7e948ac0336182702bdc791b870dbff7.exedescription ioc process File created C:\Program Files (x86)\TCP Service\tcpsvc.exe 7e948ac0336182702bdc791b870dbff7.exe File opened for modification C:\Program Files (x86)\TCP Service\tcpsvc.exe 7e948ac0336182702bdc791b870dbff7.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
7e948ac0336182702bdc791b870dbff7.exepid process 4132 7e948ac0336182702bdc791b870dbff7.exe 4132 7e948ac0336182702bdc791b870dbff7.exe 4132 7e948ac0336182702bdc791b870dbff7.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7e948ac0336182702bdc791b870dbff7.exepid process 4132 7e948ac0336182702bdc791b870dbff7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7e948ac0336182702bdc791b870dbff7.exedescription pid process Token: SeDebugPrivilege 4132 7e948ac0336182702bdc791b870dbff7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e948ac0336182702bdc791b870dbff7.exe"C:\Users\Admin\AppData\Local\Temp\7e948ac0336182702bdc791b870dbff7.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken