Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:47
Static task
static1
Behavioral task
behavioral1
Sample
8256e475a59557155e35c036a4d1cb43537ac1e33a7752fae7b3e812787c93c1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8256e475a59557155e35c036a4d1cb43537ac1e33a7752fae7b3e812787c93c1.exe
Resource
win10v2004-20220901-en
General
-
Target
8256e475a59557155e35c036a4d1cb43537ac1e33a7752fae7b3e812787c93c1.exe
-
Size
253KB
-
MD5
ba3cdc8e7b55da3e792617d6d43b0dda
-
SHA1
b5cefad46eb04e5388e5cfb78e382a59f8846a9b
-
SHA256
8256e475a59557155e35c036a4d1cb43537ac1e33a7752fae7b3e812787c93c1
-
SHA512
c93fd29676cecc456cbd155ea1969fcc96dd256ace9667903e0756b1133b1bb9dc36cfe2feb668aa27fe4691b5904ed39e0eff574e26af7d3c99d3033c9b8d79
-
SSDEEP
3072:/ySycOlyR/IQMPRgq71ppM48XLuCHWH/k1nLBnAfuna471ppM48XS2t:auIQMPx/bwuC2HgBAfuna4x/bH2
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 2312 dw20.exe Token: SeBackupPrivilege 2312 dw20.exe Token: SeBackupPrivilege 2312 dw20.exe Token: SeBackupPrivilege 2312 dw20.exe Token: SeBackupPrivilege 2312 dw20.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8256e475a59557155e35c036a4d1cb43537ac1e33a7752fae7b3e812787c93c1.exedescription pid process target process PID 5036 wrote to memory of 2312 5036 8256e475a59557155e35c036a4d1cb43537ac1e33a7752fae7b3e812787c93c1.exe dw20.exe PID 5036 wrote to memory of 2312 5036 8256e475a59557155e35c036a4d1cb43537ac1e33a7752fae7b3e812787c93c1.exe dw20.exe PID 5036 wrote to memory of 2312 5036 8256e475a59557155e35c036a4d1cb43537ac1e33a7752fae7b3e812787c93c1.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8256e475a59557155e35c036a4d1cb43537ac1e33a7752fae7b3e812787c93c1.exe"C:\Users\Admin\AppData\Local\Temp\8256e475a59557155e35c036a4d1cb43537ac1e33a7752fae7b3e812787c93c1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 14842⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2312