Analysis
-
max time kernel
193s -
max time network
220s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:41
Static task
static1
Behavioral task
behavioral1
Sample
709b2322c1ce66daff1777f1cf75b185b29c6fd94dfcc3514a5cddc93b8837db.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
709b2322c1ce66daff1777f1cf75b185b29c6fd94dfcc3514a5cddc93b8837db.exe
Resource
win10v2004-20221111-en
General
-
Target
709b2322c1ce66daff1777f1cf75b185b29c6fd94dfcc3514a5cddc93b8837db.exe
-
Size
43KB
-
MD5
58ef3efa706f53c2d1a86c0111ce480b
-
SHA1
b76edb5e0331abf9183cdd56e461aa823c19f5dd
-
SHA256
709b2322c1ce66daff1777f1cf75b185b29c6fd94dfcc3514a5cddc93b8837db
-
SHA512
95367875267111a4d06e9ed021a09b7bcf4bb6ab4855aac3432231f2cebc235ea3169be1ff7be9c77eed3279f74735b378744b444cbc84a90971db5d2b3363e7
-
SSDEEP
384:VetulpmIEK76NZF8tvWaayS10It3EuwAZkw+gLCM+FPIi34+snUT++PvQehVxh:8KT6ZFMFaF1Xt3RwUCVPOnUT+x8
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 2660 dw20.exe Token: SeBackupPrivilege 2660 dw20.exe Token: SeBackupPrivilege 2660 dw20.exe Token: SeBackupPrivilege 2660 dw20.exe Token: SeBackupPrivilege 2660 dw20.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
709b2322c1ce66daff1777f1cf75b185b29c6fd94dfcc3514a5cddc93b8837db.exedescription pid process target process PID 1644 wrote to memory of 2660 1644 709b2322c1ce66daff1777f1cf75b185b29c6fd94dfcc3514a5cddc93b8837db.exe dw20.exe PID 1644 wrote to memory of 2660 1644 709b2322c1ce66daff1777f1cf75b185b29c6fd94dfcc3514a5cddc93b8837db.exe dw20.exe PID 1644 wrote to memory of 2660 1644 709b2322c1ce66daff1777f1cf75b185b29c6fd94dfcc3514a5cddc93b8837db.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\709b2322c1ce66daff1777f1cf75b185b29c6fd94dfcc3514a5cddc93b8837db.exe"C:\Users\Admin\AppData\Local\Temp\709b2322c1ce66daff1777f1cf75b185b29c6fd94dfcc3514a5cddc93b8837db.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 14882⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2660