Analysis
-
max time kernel
134s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 21:28
Static task
static1
Behavioral task
behavioral1
Sample
0c10a05ab2a9159a80b27c8e6088dd951535f0550b0075cdeb579e516f6aa8fa.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0c10a05ab2a9159a80b27c8e6088dd951535f0550b0075cdeb579e516f6aa8fa.exe
Resource
win10v2004-20220812-en
General
-
Target
0c10a05ab2a9159a80b27c8e6088dd951535f0550b0075cdeb579e516f6aa8fa.exe
-
Size
90KB
-
MD5
55e12c0bfe2f6e96dc91b6033675a220
-
SHA1
2c51a9386b5be9d9021c831551b00253c0a91c5d
-
SHA256
0c10a05ab2a9159a80b27c8e6088dd951535f0550b0075cdeb579e516f6aa8fa
-
SHA512
abe55346e1ac78fd239781e6a3b66e0e6e6b61c5f921139b80a2f837da8972f9d7620a4e9f079e965fa5dc37fc9c776ce09ce3f20399ddbd29efc864a068c05e
-
SSDEEP
768:WeWGCQxs9kGd96NDkSV2bIXzl4CnTDHGsDf8RUFqoD4bDIsFDBnoY4U+p6D5oE:1WGxs9kGdYk8wO4Cnt8RUyhoYcCo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1576 Winkrli.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Winkrli.exe Winkrli.exe File created C:\Windows\SysWOW64\Winkrli.exe Winkrli.exe File opened for modification C:\Windows\SysWOW64\Winkrli.exe 0c10a05ab2a9159a80b27c8e6088dd951535f0550b0075cdeb579e516f6aa8fa.exe File created C:\Windows\SysWOW64\Winkrli.exe 0c10a05ab2a9159a80b27c8e6088dd951535f0550b0075cdeb579e516f6aa8fa.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeTcbPrivilege 4304 0c10a05ab2a9159a80b27c8e6088dd951535f0550b0075cdeb579e516f6aa8fa.exe Token: SeTcbPrivilege 1576 Winkrli.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c10a05ab2a9159a80b27c8e6088dd951535f0550b0075cdeb579e516f6aa8fa.exe"C:\Users\Admin\AppData\Local\Temp\0c10a05ab2a9159a80b27c8e6088dd951535f0550b0075cdeb579e516f6aa8fa.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
C:\Windows\SysWOW64\Winkrli.exeC:\Windows\SysWOW64\Winkrli.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1576
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD53d1801752211c6148a9c06f1172182ec
SHA1e515566fa4f794b453384d076bbcbff5421a0590
SHA256cae695d5791d79feba2badd9c8f2ae008d6453f5fa268b12ba3df451b6a40c61
SHA51266a6635c6f6e99efbb325f51ec27fe54132146793c339fedaf472e5ee8f04bb858d03040e961799a7cccc1fe9bdddee126c7331d09b97a445a444a22838cf08e
-
Filesize
84KB
MD53d1801752211c6148a9c06f1172182ec
SHA1e515566fa4f794b453384d076bbcbff5421a0590
SHA256cae695d5791d79feba2badd9c8f2ae008d6453f5fa268b12ba3df451b6a40c61
SHA51266a6635c6f6e99efbb325f51ec27fe54132146793c339fedaf472e5ee8f04bb858d03040e961799a7cccc1fe9bdddee126c7331d09b97a445a444a22838cf08e