Analysis
-
max time kernel
153s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 13:50
Behavioral task
behavioral1
Sample
8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe
Resource
win10v2004-20220812-en
General
-
Target
8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe
-
Size
659KB
-
MD5
a0ead7d616cdf13e4e8150ad875b4655
-
SHA1
db562ca8e596756b35dc73da58b01e930d375599
-
SHA256
8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957
-
SHA512
6b432da9d8490a00c708b775e59ea8869f74c7db90fdc0c9ae0282b3d890e37614321a027945e2ffbca1ad4aa8dd59683e6dc14ee57668e1360f3e2ad41a16d5
-
SSDEEP
12288:h9AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKu:XAQ6Zx9cxTmOrucTIEFSpOGD
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 976 set thread context of 1388 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 28 -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1388 explorer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeSecurityPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeTakeOwnershipPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeLoadDriverPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeSystemProfilePrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeSystemtimePrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeProfSingleProcessPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeIncBasePriorityPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeCreatePagefilePrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeBackupPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeRestorePrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeShutdownPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeDebugPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeSystemEnvironmentPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeChangeNotifyPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeRemoteShutdownPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeUndockPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeManageVolumePrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeImpersonatePrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeCreateGlobalPrivilege 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: 33 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: 34 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: 35 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeIncreaseQuotaPrivilege 1388 explorer.exe Token: SeSecurityPrivilege 1388 explorer.exe Token: SeTakeOwnershipPrivilege 1388 explorer.exe Token: SeLoadDriverPrivilege 1388 explorer.exe Token: SeSystemProfilePrivilege 1388 explorer.exe Token: SeSystemtimePrivilege 1388 explorer.exe Token: SeProfSingleProcessPrivilege 1388 explorer.exe Token: SeIncBasePriorityPrivilege 1388 explorer.exe Token: SeCreatePagefilePrivilege 1388 explorer.exe Token: SeBackupPrivilege 1388 explorer.exe Token: SeRestorePrivilege 1388 explorer.exe Token: SeShutdownPrivilege 1388 explorer.exe Token: SeDebugPrivilege 1388 explorer.exe Token: SeSystemEnvironmentPrivilege 1388 explorer.exe Token: SeChangeNotifyPrivilege 1388 explorer.exe Token: SeRemoteShutdownPrivilege 1388 explorer.exe Token: SeUndockPrivilege 1388 explorer.exe Token: SeManageVolumePrivilege 1388 explorer.exe Token: SeImpersonatePrivilege 1388 explorer.exe Token: SeCreateGlobalPrivilege 1388 explorer.exe Token: 33 1388 explorer.exe Token: 34 1388 explorer.exe Token: 35 1388 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1388 explorer.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 664 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 27 PID 976 wrote to memory of 1388 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 28 PID 976 wrote to memory of 1388 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 28 PID 976 wrote to memory of 1388 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 28 PID 976 wrote to memory of 1388 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 28 PID 976 wrote to memory of 1388 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 28 PID 976 wrote to memory of 1388 976 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 28 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29 PID 1388 wrote to memory of 1192 1388 explorer.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe"C:\Users\Admin\AppData\Local\Temp\8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
PID:664
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵PID:1192
-
-