Analysis
-
max time kernel
40s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 02:55
Static task
static1
Behavioral task
behavioral1
Sample
381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe
Resource
win7-20220812-en
General
-
Target
381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe
-
Size
747KB
-
MD5
060f15001381480ff0954366c3315d87
-
SHA1
a144e3a202b4ecf716178af0b971897a40b11269
-
SHA256
381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac
-
SHA512
4012de7fc5dcb2bcda3eabb231377aead7ad40c849f107223a9d65d7d6a9b06f8af257eebec550b0a649d593d54b097908145857d5e11564368cd50714451287
-
SSDEEP
12288:qfSZhRaUrFaMNzJctSh9/NoNg9feDrSadzTvVEtyL0KN817T6RfJYGxLCf5TBLQM:3ZhRaUhaQplSg9eDrddzpwyYKN817T6m
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 832 set thread context of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 1640 set thread context of 1984 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 28 -
Program crash 1 IoCs
pid pid_target Process procid_target 520 1984 WerFault.exe 28 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeSecurityPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeTakeOwnershipPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeLoadDriverPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeSystemProfilePrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeSystemtimePrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeProfSingleProcessPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeIncBasePriorityPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeCreatePagefilePrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeBackupPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeRestorePrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeShutdownPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeDebugPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeSystemEnvironmentPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeChangeNotifyPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeRemoteShutdownPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeUndockPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeManageVolumePrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeImpersonatePrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: SeCreateGlobalPrivilege 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: 33 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: 34 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe Token: 35 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 832 wrote to memory of 1640 832 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 27 PID 1640 wrote to memory of 1984 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 28 PID 1640 wrote to memory of 1984 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 28 PID 1640 wrote to memory of 1984 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 28 PID 1640 wrote to memory of 1984 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 28 PID 1640 wrote to memory of 1984 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 28 PID 1640 wrote to memory of 1984 1640 381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe 28 PID 1984 wrote to memory of 520 1984 explorer.exe 29 PID 1984 wrote to memory of 520 1984 explorer.exe 29 PID 1984 wrote to memory of 520 1984 explorer.exe 29 PID 1984 wrote to memory of 520 1984 explorer.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe"C:\Users\Admin\AppData\Local\Temp\381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exeC:\Users\Admin\AppData\Local\Temp\381eae7a558d8599f67b1dca1131fa92d500d14e4b56b90f0e6ff656984471ac.exe2⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1244⤵
- Program crash
PID:520
-
-
-