Analysis
-
max time kernel
38s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:44
Static task
static1
Behavioral task
behavioral1
Sample
97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exe
Resource
win10v2004-20221111-en
General
-
Target
97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exe
-
Size
486KB
-
MD5
a72363c86403f081d45748971afbb22f
-
SHA1
a83245f848343258a0009306bd3dff68a679f250
-
SHA256
97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651
-
SHA512
c388c640c588c78e9ae3ee88855ace5bfe9c4b6d84bce52e2f0d563b663f675d8b4c7c837e8ffd2f9a6818eb3092bce66375206844500d4ede41503adda1bbd5
-
SSDEEP
12288:1eWoWEGNhjFjrPOfOAuk5Regirp75qOQs86tzfM2Hj:8od5rWGAuk5R6XoSt/j
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\ntos.exe," 97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exe -
Drops file in System32 directory 2 IoCs
Processes:
97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ntos.exe 97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exe File created C:\Windows\SysWOW64\ntos.exe 97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exepid process 1628 97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exe 1628 97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exedescription pid process Token: SeDebugPrivilege 1628 97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exe"C:\Users\Admin\AppData\Local\Temp\97c2460571ec127bd799f3f1dab86094984a5e0d9b6b909bd9201a503f7ef651.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken