Analysis
-
max time kernel
163s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 13:29
Behavioral task
behavioral1
Sample
52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe
Resource
win10v2004-20220812-en
General
-
Target
52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe
-
Size
667KB
-
MD5
a25be5a7a41f1c97f23a1d15baffd4f5
-
SHA1
22dd9031e1b38ff132760b7c867ee50be809d313
-
SHA256
52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108
-
SHA512
37a95dcdb9957c92c95f99f8687673f47ac4c0ed4c9d2a51b37451368869c57730a239c3ec4c0e94d37a6c216ebbd43966603f28028550edb629884b56bae48b
-
SSDEEP
12288:DpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/W:FwAcu99lPzvxP+Bsz2XjWTRMQckkIXn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\rundl32.exe" 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\rundl32.exe" 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rundl32.exe 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe File opened for modification C:\Windows\SysWOW64\ 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe File created C:\Windows\SysWOW64\rundl32.exe 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2512 set thread context of 4348 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe 81 -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5092 ping.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4348 explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeSecurityPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeTakeOwnershipPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeLoadDriverPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeSystemProfilePrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeSystemtimePrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeProfSingleProcessPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeIncBasePriorityPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeCreatePagefilePrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeBackupPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeRestorePrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeShutdownPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeDebugPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeSystemEnvironmentPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeChangeNotifyPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeRemoteShutdownPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeUndockPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeManageVolumePrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeImpersonatePrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeCreateGlobalPrivilege 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: 33 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: 34 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: 35 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: 36 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe Token: SeIncreaseQuotaPrivilege 4348 explorer.exe Token: SeSecurityPrivilege 4348 explorer.exe Token: SeTakeOwnershipPrivilege 4348 explorer.exe Token: SeLoadDriverPrivilege 4348 explorer.exe Token: SeSystemProfilePrivilege 4348 explorer.exe Token: SeSystemtimePrivilege 4348 explorer.exe Token: SeProfSingleProcessPrivilege 4348 explorer.exe Token: SeIncBasePriorityPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeBackupPrivilege 4348 explorer.exe Token: SeRestorePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeDebugPrivilege 4348 explorer.exe Token: SeSystemEnvironmentPrivilege 4348 explorer.exe Token: SeChangeNotifyPrivilege 4348 explorer.exe Token: SeRemoteShutdownPrivilege 4348 explorer.exe Token: SeUndockPrivilege 4348 explorer.exe Token: SeManageVolumePrivilege 4348 explorer.exe Token: SeImpersonatePrivilege 4348 explorer.exe Token: SeCreateGlobalPrivilege 4348 explorer.exe Token: 33 4348 explorer.exe Token: 34 4348 explorer.exe Token: 35 4348 explorer.exe Token: 36 4348 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4348 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2512 wrote to memory of 4348 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe 81 PID 2512 wrote to memory of 4348 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe 81 PID 2512 wrote to memory of 4348 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe 81 PID 2512 wrote to memory of 4348 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe 81 PID 2512 wrote to memory of 4348 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe 81 PID 2512 wrote to memory of 5092 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe 82 PID 2512 wrote to memory of 5092 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe 82 PID 2512 wrote to memory of 5092 2512 52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe"C:\Users\Admin\AppData\Local\Temp\52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Windows security bypass
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4348
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\52184e448e67a013b0acd018065b06cd24fdc3055584f1d4b3d299a9d06e7108.exe"2⤵
- Runs ping.exe
PID:5092
-