Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
14-10-2022 17:56
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
603KB
-
MD5
dd1ad945db47825113b0e951efc4329e
-
SHA1
c4a2434faf1e56b006e66bbfdf00b6b338d5412c
-
SHA256
c6d746c1cfde6d2f1d19a371be49f86cb8baf750f3678fdeea5803dea510a0d2
-
SHA512
2369cf1deaa2d656eb84811f08103ba632e4b11b8347139b4a821d96a36379576905cfa188825a774a7cfffe33f4348d396dbde0b4b0c3ab31b33503bc1f6b9d
-
SSDEEP
1536:srae78zjORCDGwfdCSog01313hEs5gQOcIKMJ+8P:0ahKyd2n31xd55OcIKMJ+8P
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
perfofov.exepid process 944 perfofov.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
perfofov.exedescription pid process Token: SeDebugPrivilege 944 perfofov.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
file.exedescription pid process target process PID 852 wrote to memory of 944 852 file.exe perfofov.exe PID 852 wrote to memory of 944 852 file.exe perfofov.exe PID 852 wrote to memory of 944 852 file.exe perfofov.exe PID 852 wrote to memory of 944 852 file.exe perfofov.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exeFilesize
333.8MB
MD541be89e700a570e385aad7875f1fa3f2
SHA1efa1cbab2e7edcb50b340682704ce7a01667590d
SHA256a53c6bf724eaacefc624728f76444340827fcea7072b60d4cf980f9a2bc1c023
SHA512c99bd6d21f07de196d588ad1a7e2e715dc85ce33b18fcd1f67bfa526255c6dbaefee3349eeb9d0a169e0ddc75a2d73931db75de08e29bd8f2b0055f4fbd8881b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exeFilesize
333.8MB
MD541be89e700a570e385aad7875f1fa3f2
SHA1efa1cbab2e7edcb50b340682704ce7a01667590d
SHA256a53c6bf724eaacefc624728f76444340827fcea7072b60d4cf980f9a2bc1c023
SHA512c99bd6d21f07de196d588ad1a7e2e715dc85ce33b18fcd1f67bfa526255c6dbaefee3349eeb9d0a169e0ddc75a2d73931db75de08e29bd8f2b0055f4fbd8881b
-
memory/944-54-0x0000000000000000-mapping.dmp
-
memory/944-57-0x0000000000F60000-0x0000000000F68000-memory.dmpFilesize
32KB
-
memory/944-58-0x0000000074E41000-0x0000000074E43000-memory.dmpFilesize
8KB