Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 21:37
Behavioral task
behavioral1
Sample
tst.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
tst.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
out.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10v2004-20220812-en
General
-
Target
tst.exe
-
Size
1.4MB
-
MD5
3412592c23a9bc93a234c5e25130a71a
-
SHA1
cad0b43ff636a6d6dbbfbd38e134aa0acda7b052
-
SHA256
017ab0c10991b0d3faa2b6fdc43487632418c4f5a337e94f8490233d254ba566
-
SHA512
2076c9ebf616986a5e7a309bc105639abaf1ece7fcc69585457026371353aca82377f70f2903340ed28f40b69f9314c925f2319431d05b0ea527ab4ce0bd75a3
-
SSDEEP
24576:2ndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkz6Nf6F6j4:gXDFBU2iIBb0xY/6sUYYf56Fu4
Malware Config
Extracted
bitrat
1.38
45.95.168.128:23202
-
communication_password
ed99c23d77796aac877ce1f91481dc28
-
install_dir
Oracle
-
install_file
java.exe
-
tor_process
tor
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1704-55-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1704-56-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tst.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Oracle\\java.exe" tst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
tst.exepid process 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe -
Suspicious behavior: RenamesItself 27 IoCs
Processes:
tst.exepid process 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe 1704 tst.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tst.exedescription pid process Token: SeDebugPrivilege 1704 tst.exe Token: SeShutdownPrivilege 1704 tst.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tst.exepid process 1704 tst.exe 1704 tst.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tst.exe"C:\Users\Admin\AppData\Local\Temp\tst.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1704