Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 05:41
Behavioral task
behavioral1
Sample
ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe
Resource
win7-20220812-en
General
-
Target
ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe
-
Size
873KB
-
MD5
75829f633e07a0321d13248a1b6d44b0
-
SHA1
39755b13b7377dafa84418233d80a705da282802
-
SHA256
ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af
-
SHA512
a31380f9eb6a319ca08d24bbf8a8b80c17d45380dd5b4431e1bf38d8e320b864d7a7a318332a4b5e8e74a650c27ca2c1c73145ce9e1b7d719fe916676cedb220
-
SSDEEP
24576:JhQ2DLmDkJY80lSM1D5NcnpFZRvHQ9HJDNC:JhxDaQJ70lS2kNRo5b
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Wine ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Wine explorer.exe -
resource yara_rule behavioral1/memory/288-55-0x0000000013140000-0x0000000013339000-memory.dmp themida behavioral1/memory/288-56-0x0000000013140000-0x0000000013339000-memory.dmp themida behavioral1/memory/1628-59-0x0000000013140000-0x0000000013339000-memory.dmp themida behavioral1/memory/288-62-0x0000000013140000-0x0000000013339000-memory.dmp themida behavioral1/memory/1628-63-0x0000000013140000-0x0000000013339000-memory.dmp themida behavioral1/memory/1628-64-0x0000000013140000-0x0000000013339000-memory.dmp themida behavioral1/memory/1628-66-0x0000000013140000-0x0000000013339000-memory.dmp themida behavioral1/memory/1628-68-0x0000000013140000-0x0000000013339000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe 1628 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 288 set thread context of 1628 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe 27 -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe 1628 explorer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeSecurityPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeTakeOwnershipPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeLoadDriverPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeSystemProfilePrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeSystemtimePrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeProfSingleProcessPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeIncBasePriorityPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeCreatePagefilePrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeBackupPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeRestorePrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeShutdownPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeDebugPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeSystemEnvironmentPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeChangeNotifyPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeRemoteShutdownPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeUndockPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeManageVolumePrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeImpersonatePrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeCreateGlobalPrivilege 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: 33 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: 34 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: 35 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe Token: SeIncreaseQuotaPrivilege 1628 explorer.exe Token: SeSecurityPrivilege 1628 explorer.exe Token: SeTakeOwnershipPrivilege 1628 explorer.exe Token: SeLoadDriverPrivilege 1628 explorer.exe Token: SeSystemProfilePrivilege 1628 explorer.exe Token: SeSystemtimePrivilege 1628 explorer.exe Token: SeProfSingleProcessPrivilege 1628 explorer.exe Token: SeIncBasePriorityPrivilege 1628 explorer.exe Token: SeCreatePagefilePrivilege 1628 explorer.exe Token: SeBackupPrivilege 1628 explorer.exe Token: SeRestorePrivilege 1628 explorer.exe Token: SeShutdownPrivilege 1628 explorer.exe Token: SeDebugPrivilege 1628 explorer.exe Token: SeSystemEnvironmentPrivilege 1628 explorer.exe Token: SeChangeNotifyPrivilege 1628 explorer.exe Token: SeRemoteShutdownPrivilege 1628 explorer.exe Token: SeUndockPrivilege 1628 explorer.exe Token: SeManageVolumePrivilege 1628 explorer.exe Token: SeImpersonatePrivilege 1628 explorer.exe Token: SeCreateGlobalPrivilege 1628 explorer.exe Token: 33 1628 explorer.exe Token: 34 1628 explorer.exe Token: 35 1628 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 288 wrote to memory of 1628 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe 27 PID 288 wrote to memory of 1628 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe 27 PID 288 wrote to memory of 1628 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe 27 PID 288 wrote to memory of 1628 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe 27 PID 288 wrote to memory of 1628 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe 27 PID 288 wrote to memory of 1628 288 ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe"C:\Users\Admin\AppData\Local\Temp\ccd2d553756500706427b4847803c618b8673aa21267057117dab60796fac8af.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-