Analysis
-
max time kernel
91s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2022 11:06
Behavioral task
behavioral1
Sample
013a54d88cabf8dd0afb664b6f1b06b7.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
013a54d88cabf8dd0afb664b6f1b06b7.exe
Resource
win10v2004-20220812-en
General
-
Target
013a54d88cabf8dd0afb664b6f1b06b7.exe
-
Size
37KB
-
MD5
013a54d88cabf8dd0afb664b6f1b06b7
-
SHA1
99431f171ef84bbae20376a787135578a61f235f
-
SHA256
f0aa0de7d31f68b412ddb78d8a0ffe9153422133780522a945eb17b5bd1016f0
-
SHA512
f5e21e058ce8569e764b8ddbf0f6b6b28b1c4aa913fec25e09e377786a321ac742a631eab39b3d7e0b5794d9a9b6ffdc7b52d585a0560b8d4eb2683fac0aeabd
-
SSDEEP
384:w+xcaCisP/WRdL5kyc/5kvHHng6sZ8UrAF+rMRTyN/0L+EcoinblneHQM3epzX0t:FxckD5nc/5k/VsxrM+rMRa8NuCnt
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 3420 dw20.exe Token: SeBackupPrivilege 3420 dw20.exe Token: SeBackupPrivilege 3420 dw20.exe Token: SeBackupPrivilege 3420 dw20.exe Token: SeBackupPrivilege 3420 dw20.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
013a54d88cabf8dd0afb664b6f1b06b7.exedescription pid process target process PID 3060 wrote to memory of 3420 3060 013a54d88cabf8dd0afb664b6f1b06b7.exe dw20.exe PID 3060 wrote to memory of 3420 3060 013a54d88cabf8dd0afb664b6f1b06b7.exe dw20.exe PID 3060 wrote to memory of 3420 3060 013a54d88cabf8dd0afb664b6f1b06b7.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\013a54d88cabf8dd0afb664b6f1b06b7.exe"C:\Users\Admin\AppData\Local\Temp\013a54d88cabf8dd0afb664b6f1b06b7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4482⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken