Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
23-11-2022 13:45
Errors
Reason
Machine shutdown
General
-
Target
88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe
-
Size
706KB
-
MD5
d5ae8a95a74e4e6c37e21ba2a4eefb09
-
SHA1
c41fbff4e3639b2563eeb97f9a90d357a26d665c
-
SHA256
88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2
-
SHA512
a1c080195281c3b7cc6cd34cd07c1471c7abf9980b0f6b51f181bbea9055d1209c52cd46c201a365079a191c2ad9bc64907509bdcd1cc06201c6910fbadd1d71
-
SSDEEP
12288:vdNxMB4UKc/WL6Ls5K0NGi5n6hft0TxssvHMpssp:LxDs/ZSG/feGsvHCr
Score
9/10
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe"C:\Users\Admin\AppData\Local\Temp\88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Sajy\idug.exe"C:\Users\Admin\AppData\Local\Temp\Sajy\idug.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTP85E7.bat"2⤵
- Deletes itself
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1337266008-137890683116212770901229295055834978131899851223-1336191529-856981535"1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MTP85E7.batFilesize
278B
MD529a2d840ad4335cc326095bb2bf0cb87
SHA1a745875729ce3e5f10fa09806821be6cdcfa181d
SHA25629997356cfe76b3a068f4a3861369afe022b4776eb99103c453b51a1da5c559a
SHA5122ac244839ec6484987799129badc18660f47e54a76dcd604de08db03f962468a236dc8bba6271e23ab9fd123dc2f44c7634975da6eb7fb23a9bb4c11763889a5
-
C:\Users\Admin\AppData\Local\Temp\Sajy\idug.exeFilesize
706KB
MD56b1ffc7b412b4bd5ad0e9f96cc4dd187
SHA104fd1ab619223e054dcaa3f1ae0d2e6bf43da575
SHA256492e0a85b3159d3b8c05c8726ae542fb079d710dd303606f2d6111c108e6b81e
SHA51275717088bf90f1a03619ff7ce1dc6ddb412c8c54ad97a0d128f714620a4965101530e01e095dbc791df0f6c0ce79307790dee39abf90c4be44fd17ebda9cca3e
-
C:\Users\Admin\AppData\Local\Temp\Sajy\idug.exeFilesize
706KB
MD56b1ffc7b412b4bd5ad0e9f96cc4dd187
SHA104fd1ab619223e054dcaa3f1ae0d2e6bf43da575
SHA256492e0a85b3159d3b8c05c8726ae542fb079d710dd303606f2d6111c108e6b81e
SHA51275717088bf90f1a03619ff7ce1dc6ddb412c8c54ad97a0d128f714620a4965101530e01e095dbc791df0f6c0ce79307790dee39abf90c4be44fd17ebda9cca3e
-
\Users\Admin\AppData\Local\Temp\Sajy\idug.exeFilesize
706KB
MD56b1ffc7b412b4bd5ad0e9f96cc4dd187
SHA104fd1ab619223e054dcaa3f1ae0d2e6bf43da575
SHA256492e0a85b3159d3b8c05c8726ae542fb079d710dd303606f2d6111c108e6b81e
SHA51275717088bf90f1a03619ff7ce1dc6ddb412c8c54ad97a0d128f714620a4965101530e01e095dbc791df0f6c0ce79307790dee39abf90c4be44fd17ebda9cca3e
-
memory/780-71-0x0000000000000000-mapping.dmp
-
memory/872-131-0x000007FEFB861000-0x000007FEFB863000-memory.dmpFilesize
8KB
-
memory/892-68-0x0000000000000000-mapping.dmp
-
memory/1072-73-0x0000000000000000-mapping.dmp
-
memory/1092-72-0x0000000000000000-mapping.dmp
-
memory/1120-77-0x0000000001E90000-0x0000000001EF9000-memory.dmpFilesize
420KB
-
memory/1120-75-0x0000000001E90000-0x0000000001EF9000-memory.dmpFilesize
420KB
-
memory/1120-80-0x0000000001E90000-0x0000000001EF9000-memory.dmpFilesize
420KB
-
memory/1120-79-0x0000000001E90000-0x0000000001EF9000-memory.dmpFilesize
420KB
-
memory/1120-78-0x0000000001E90000-0x0000000001EF9000-memory.dmpFilesize
420KB
-
memory/1180-86-0x00000000001A0000-0x0000000000209000-memory.dmpFilesize
420KB
-
memory/1180-83-0x00000000001A0000-0x0000000000209000-memory.dmpFilesize
420KB
-
memory/1180-84-0x00000000001A0000-0x0000000000209000-memory.dmpFilesize
420KB
-
memory/1180-85-0x00000000001A0000-0x0000000000209000-memory.dmpFilesize
420KB
-
memory/1252-91-0x0000000003E10000-0x0000000003E79000-memory.dmpFilesize
420KB
-
memory/1252-89-0x0000000003E10000-0x0000000003E79000-memory.dmpFilesize
420KB
-
memory/1252-92-0x0000000003E10000-0x0000000003E79000-memory.dmpFilesize
420KB
-
memory/1252-90-0x0000000003E10000-0x0000000003E79000-memory.dmpFilesize
420KB
-
memory/1280-104-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1280-103-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1280-101-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1280-105-0x00000000002B0000-0x0000000000319000-memory.dmpFilesize
420KB
-
memory/1280-55-0x0000000074C41000-0x0000000074C43000-memory.dmpFilesize
8KB
-
memory/1280-56-0x00000000004C0000-0x0000000000578000-memory.dmpFilesize
736KB
-
memory/1280-100-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1280-99-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1280-54-0x00000000004C0000-0x0000000000578000-memory.dmpFilesize
736KB
-
memory/1280-102-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1280-95-0x00000000002B0000-0x0000000000319000-memory.dmpFilesize
420KB
-
memory/1280-96-0x00000000002B0000-0x0000000000319000-memory.dmpFilesize
420KB
-
memory/1280-97-0x00000000002B0000-0x0000000000319000-memory.dmpFilesize
420KB
-
memory/1280-98-0x00000000002B0000-0x0000000000319000-memory.dmpFilesize
420KB
-
memory/1724-65-0x0000000000000000-mapping.dmp
-
memory/1736-67-0x0000000000000000-mapping.dmp
-
memory/1748-66-0x0000000000000000-mapping.dmp
-
memory/1828-69-0x0000000000000000-mapping.dmp
-
memory/1888-74-0x0000000000000000-mapping.dmp
-
memory/1976-70-0x0000000000000000-mapping.dmp
-
memory/1980-117-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1980-120-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1980-111-0x0000000000050000-0x00000000000B9000-memory.dmpFilesize
420KB
-
memory/1980-110-0x0000000000050000-0x00000000000B9000-memory.dmpFilesize
420KB
-
memory/1980-112-0x0000000000050000-0x00000000000B9000-memory.dmpFilesize
420KB
-
memory/1980-123-0x0000000000050000-0x00000000000B9000-memory.dmpFilesize
420KB
-
memory/1980-114-0x000000000008387C-mapping.dmp
-
memory/1980-116-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1980-122-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1980-118-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1980-119-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1980-108-0x0000000000050000-0x00000000000B9000-memory.dmpFilesize
420KB
-
memory/1980-121-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2012-126-0x00000000001D0000-0x0000000000239000-memory.dmpFilesize
420KB
-
memory/2012-127-0x00000000001D0000-0x0000000000239000-memory.dmpFilesize
420KB
-
memory/2012-128-0x00000000001D0000-0x0000000000239000-memory.dmpFilesize
420KB
-
memory/2012-129-0x00000000001D0000-0x0000000000239000-memory.dmpFilesize
420KB
-
memory/2040-64-0x0000000000350000-0x0000000000356000-memory.dmpFilesize
24KB
-
memory/2040-113-0x0000000000350000-0x0000000000356000-memory.dmpFilesize
24KB
-
memory/2040-58-0x0000000000000000-mapping.dmp
-
memory/2040-62-0x0000000001D00000-0x0000000001DB8000-memory.dmpFilesize
736KB