Analysis
-
max time kernel
137s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 07:10
Static task
static1
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
SOA.exe
-
Size
477KB
-
MD5
d794051f2d1b5df0a01bdf176edf7d1d
-
SHA1
e181789066bdaff32544ffb454761ce7af3577db
-
SHA256
5c50dfe4776a3d34649ea834cdcba8b880c5651706473143900964e540436fc6
-
SHA512
dc29e32a99e998b884c1f8e78a8f69c9f1b68be282ec4831ec56e68c713000e250bef47f19ccac265fc4c728d6a5539355276d3b35094311df13ad1dd3d4e253
-
SSDEEP
12288:z/hPIJ66gmAFMgE2BfH0tBARS1rnW7s7ZNaE8vQQlvUycT:zJwsRJ/0URAn4jQQlvUycT
Score
8/10
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
SOA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" SOA.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SOA.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\151E729A978B4B10805EB5FED71262EA = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SOA.exe\"" SOA.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
SOA.exepid process 1472 SOA.exe 1472 SOA.exe 1472 SOA.exe 1472 SOA.exe 1472 SOA.exe 1472 SOA.exe 1472 SOA.exe 1472 SOA.exe 1472 SOA.exe 1472 SOA.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
SOA.exepid process 1472 SOA.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SOA.exedescription pid process Token: SeDebugPrivilege 1472 SOA.exe Token: SeDebugPrivilege 1472 SOA.exe Token: SeLoadDriverPrivilege 1472 SOA.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SOA.exedescription pid process target process PID 1472 wrote to memory of 2356 1472 SOA.exe RegAsm.exe PID 1472 wrote to memory of 2356 1472 SOA.exe RegAsm.exe PID 1472 wrote to memory of 1628 1472 SOA.exe RegAsm.exe PID 1472 wrote to memory of 1628 1472 SOA.exe RegAsm.exe PID 1472 wrote to memory of 4076 1472 SOA.exe RegAsm.exe PID 1472 wrote to memory of 4076 1472 SOA.exe RegAsm.exe PID 1472 wrote to memory of 4908 1472 SOA.exe RegAsm.exe PID 1472 wrote to memory of 4908 1472 SOA.exe RegAsm.exe PID 1472 wrote to memory of 1428 1472 SOA.exe RegAsm.exe PID 1472 wrote to memory of 1428 1472 SOA.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"1⤵
- Sets service image path in registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵