Analysis
-
max time kernel
205s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 13:50
Behavioral task
behavioral1
Sample
8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe
Resource
win10v2004-20220812-en
General
-
Target
8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe
-
Size
659KB
-
MD5
a0ead7d616cdf13e4e8150ad875b4655
-
SHA1
db562ca8e596756b35dc73da58b01e930d375599
-
SHA256
8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957
-
SHA512
6b432da9d8490a00c708b775e59ea8869f74c7db90fdc0c9ae0282b3d890e37614321a027945e2ffbca1ad4aa8dd59683e6dc14ee57668e1360f3e2ad41a16d5
-
SSDEEP
12288:h9AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKu:XAQ6Zx9cxTmOrucTIEFSpOGD
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4252 set thread context of 4672 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 82 -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4672 explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeSecurityPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeTakeOwnershipPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeLoadDriverPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeSystemProfilePrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeSystemtimePrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeProfSingleProcessPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeIncBasePriorityPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeCreatePagefilePrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeBackupPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeRestorePrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeShutdownPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeDebugPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeSystemEnvironmentPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeChangeNotifyPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeRemoteShutdownPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeUndockPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeManageVolumePrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeImpersonatePrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeCreateGlobalPrivilege 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: 33 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: 34 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: 35 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: 36 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe Token: SeIncreaseQuotaPrivilege 4672 explorer.exe Token: SeSecurityPrivilege 4672 explorer.exe Token: SeTakeOwnershipPrivilege 4672 explorer.exe Token: SeLoadDriverPrivilege 4672 explorer.exe Token: SeSystemProfilePrivilege 4672 explorer.exe Token: SeSystemtimePrivilege 4672 explorer.exe Token: SeProfSingleProcessPrivilege 4672 explorer.exe Token: SeIncBasePriorityPrivilege 4672 explorer.exe Token: SeCreatePagefilePrivilege 4672 explorer.exe Token: SeBackupPrivilege 4672 explorer.exe Token: SeRestorePrivilege 4672 explorer.exe Token: SeShutdownPrivilege 4672 explorer.exe Token: SeDebugPrivilege 4672 explorer.exe Token: SeSystemEnvironmentPrivilege 4672 explorer.exe Token: SeChangeNotifyPrivilege 4672 explorer.exe Token: SeRemoteShutdownPrivilege 4672 explorer.exe Token: SeUndockPrivilege 4672 explorer.exe Token: SeManageVolumePrivilege 4672 explorer.exe Token: SeImpersonatePrivilege 4672 explorer.exe Token: SeCreateGlobalPrivilege 4672 explorer.exe Token: 33 4672 explorer.exe Token: 34 4672 explorer.exe Token: 35 4672 explorer.exe Token: 36 4672 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4672 explorer.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4776 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 81 PID 4252 wrote to memory of 4672 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 82 PID 4252 wrote to memory of 4672 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 82 PID 4252 wrote to memory of 4672 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 82 PID 4252 wrote to memory of 4672 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 82 PID 4252 wrote to memory of 4672 4252 8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe 82 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83 PID 4672 wrote to memory of 2168 4672 explorer.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe"C:\Users\Admin\AppData\Local\Temp\8c07e75a34d360f39dbef294d9c37afb165db551358cb4edac9fe8becd451957.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
PID:4776
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵PID:2168
-
-