Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-10-2022 18:44
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
320KB
-
MD5
79c8aec89b55f0fd893c5358cfe66634
-
SHA1
cb1065ed12890f9dfa599e94c559626129f9efcb
-
SHA256
78bd069d6b2a1e617941b71b6953e0a8c792f49d3afbf3663610d60e280048fa
-
SHA512
8f0080961607b102006594f33904b2e61346c4465874807e411a61d8ac08b3abb186736549161e1ce09910fc3c87f37e1a4052cbb88e8207c9b7b80668fa6ffd
-
SSDEEP
6144:L2CgfxElP8isat6Z475cw0npnlSLmarpUguiVuVTEryN+9t7NS:L2YR2DEknwaaFUZiVuK7
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\ViperFolder\\FiperTY.exe\"," tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 832 set thread context of 1728 832 tmp.exe 28 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1728 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 832 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 832 tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 832 wrote to memory of 1728 832 tmp.exe 28 PID 832 wrote to memory of 1728 832 tmp.exe 28 PID 832 wrote to memory of 1728 832 tmp.exe 28 PID 832 wrote to memory of 1728 832 tmp.exe 28 PID 832 wrote to memory of 1728 832 tmp.exe 28 PID 832 wrote to memory of 1728 832 tmp.exe 28 PID 832 wrote to memory of 1728 832 tmp.exe 28 PID 832 wrote to memory of 1728 832 tmp.exe 28 PID 832 wrote to memory of 1728 832 tmp.exe 28 PID 832 wrote to memory of 1728 832 tmp.exe 28 PID 832 wrote to memory of 1728 832 tmp.exe 28 PID 832 wrote to memory of 1728 832 tmp.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Suspicious behavior: AddClipboardFormatListener
PID:1728
-