Analysis
-
max time kernel
173s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 12:44
Static task
static1
Behavioral task
behavioral1
Sample
f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exe
Resource
win7-20221111-en
General
-
Target
f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exe
-
Size
220KB
-
MD5
31a3abe2824e6e4cce48e207df6b3aa5
-
SHA1
cd1466b5c1e964c53ade0acdcd3ad6ecf2fc8505
-
SHA256
f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333
-
SHA512
c93a1310ebcfe3472e68a4db45d1dabfabaa18711997286d9f2986bae1d63d66f3e09a397c6bde3c12d11e4669b6e9a699fa6ad09a657d603c1749e45971e7e2
-
SSDEEP
3072:xKNQHcGBMVpXUxRVE+FXeRiD1zuO9T1eRp7VFtJW6uVRK0q/3/v:xK5+MVpWRVyR6uI1eP7VFtJkwv
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 1088 csrss.exe -
Loads dropped DLL 1 IoCs
Processes:
winlogon.exepid process 1052 winlogon.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
winlogon.exewinlogon.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Subsystem = "C:\\Program Files (x86)\\PCI Subsystem\\pciss.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" csrss.exe -
Processes:
winlogon.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winlogon.exedescription pid process target process PID 1052 set thread context of 1700 1052 winlogon.exe winlogon.exe -
Drops file in Program Files directory 2 IoCs
Processes:
winlogon.exedescription ioc process File created C:\Program Files (x86)\PCI Subsystem\pciss.exe winlogon.exe File opened for modification C:\Program Files (x86)\PCI Subsystem\pciss.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1596 schtasks.exe 2012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exewinlogon.execsrss.exepid process 1792 f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exe 1792 f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe 1088 csrss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winlogon.exepid process 1700 winlogon.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exepid process 1792 f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exewinlogon.execsrss.exewinlogon.exedescription pid process Token: SeDebugPrivilege 1792 f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exe Token: SeDebugPrivilege 1052 winlogon.exe Token: SeDebugPrivilege 1052 winlogon.exe Token: SeDebugPrivilege 1088 csrss.exe Token: SeDebugPrivilege 1088 csrss.exe Token: SeDebugPrivilege 1700 winlogon.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exewinlogon.exewinlogon.exedescription pid process target process PID 1792 wrote to memory of 1052 1792 f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exe winlogon.exe PID 1792 wrote to memory of 1052 1792 f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exe winlogon.exe PID 1792 wrote to memory of 1052 1792 f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exe winlogon.exe PID 1792 wrote to memory of 1052 1792 f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exe winlogon.exe PID 1052 wrote to memory of 1700 1052 winlogon.exe winlogon.exe PID 1052 wrote to memory of 1700 1052 winlogon.exe winlogon.exe PID 1052 wrote to memory of 1700 1052 winlogon.exe winlogon.exe PID 1052 wrote to memory of 1700 1052 winlogon.exe winlogon.exe PID 1052 wrote to memory of 1700 1052 winlogon.exe winlogon.exe PID 1052 wrote to memory of 1700 1052 winlogon.exe winlogon.exe PID 1052 wrote to memory of 1700 1052 winlogon.exe winlogon.exe PID 1052 wrote to memory of 1700 1052 winlogon.exe winlogon.exe PID 1052 wrote to memory of 1700 1052 winlogon.exe winlogon.exe PID 1700 wrote to memory of 1596 1700 winlogon.exe schtasks.exe PID 1700 wrote to memory of 1596 1700 winlogon.exe schtasks.exe PID 1700 wrote to memory of 1596 1700 winlogon.exe schtasks.exe PID 1700 wrote to memory of 1596 1700 winlogon.exe schtasks.exe PID 1052 wrote to memory of 1088 1052 winlogon.exe csrss.exe PID 1052 wrote to memory of 1088 1052 winlogon.exe csrss.exe PID 1052 wrote to memory of 1088 1052 winlogon.exe csrss.exe PID 1052 wrote to memory of 1088 1052 winlogon.exe csrss.exe PID 1700 wrote to memory of 2012 1700 winlogon.exe schtasks.exe PID 1700 wrote to memory of 2012 1700 winlogon.exe schtasks.exe PID 1700 wrote to memory of 2012 1700 winlogon.exe schtasks.exe PID 1700 wrote to memory of 2012 1700 winlogon.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exe"C:\Users\Admin\AppData\Local\Temp\f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC063.tmp"4⤵
- Creates scheduled task(s)
PID:1596 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF2C9.tmp"4⤵
- Creates scheduled task(s)
PID:2012 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe" -keyhide -prochide 1700 -reg C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe -proc 1700 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD528258c5ed38ce92a70b8279890118dad
SHA1975e9d2851e0fac8a150822ac12766e7498393e8
SHA2565e4399d3686f5b17651cd096bdab270c2d4f33f87aa39e750e00d2431fd03c4a
SHA512d13d9d836ee68f59aaea24a7500fcef7078b74837f9188b18ebd06df0e83d22f5595bd53562a637a38daa526f6bc0884d9aa9d5348f0134a1ac21ec702031414
-
Filesize
220KB
MD531a3abe2824e6e4cce48e207df6b3aa5
SHA1cd1466b5c1e964c53ade0acdcd3ad6ecf2fc8505
SHA256f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333
SHA512c93a1310ebcfe3472e68a4db45d1dabfabaa18711997286d9f2986bae1d63d66f3e09a397c6bde3c12d11e4669b6e9a699fa6ad09a657d603c1749e45971e7e2
-
Filesize
220KB
MD531a3abe2824e6e4cce48e207df6b3aa5
SHA1cd1466b5c1e964c53ade0acdcd3ad6ecf2fc8505
SHA256f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333
SHA512c93a1310ebcfe3472e68a4db45d1dabfabaa18711997286d9f2986bae1d63d66f3e09a397c6bde3c12d11e4669b6e9a699fa6ad09a657d603c1749e45971e7e2
-
Filesize
220KB
MD531a3abe2824e6e4cce48e207df6b3aa5
SHA1cd1466b5c1e964c53ade0acdcd3ad6ecf2fc8505
SHA256f1fdc6b05605137aabff3b59e49b489866673a93706d52247a74f1c6441ed333
SHA512c93a1310ebcfe3472e68a4db45d1dabfabaa18711997286d9f2986bae1d63d66f3e09a397c6bde3c12d11e4669b6e9a699fa6ad09a657d603c1749e45971e7e2