Analysis
-
max time kernel
47s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 16:42
Behavioral task
behavioral1
Sample
2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe
Resource
win10v2004-20221111-en
General
-
Target
2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe
-
Size
198KB
-
MD5
52a7ae80da298b45ddc79d93142b6710
-
SHA1
39860118701bf0bcef8cb04e9707f9beb6cfd1c4
-
SHA256
2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012
-
SHA512
5cc8ae1d65710a6b70dcee6916e437ca44d77236fa2bb8d41fb19ee92e6318448c56bcf304cf6d2803ae8f5a0345791556336dcf097a44b2e6b0bfefa4c43038
-
SSDEEP
6144:znycVxqMDbbFDhCW4C92lHf8mhBKIwlplA:DpVxqSbbFDhT2RkmHGTl
Malware Config
Signatures
-
Processes:
2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe -
Processes:
resource yara_rule behavioral1/memory/1380-55-0x0000000000400000-0x0000000000428000-memory.dmp vmprotect behavioral1/memory/1380-56-0x0000000000400000-0x0000000000428000-memory.dmp vmprotect -
Drops file in System32 directory 1 IoCs
Processes:
2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exedescription ioc process File created C:\Windows\SysWOW64\test.dat 2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exepid process 1380 2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe"C:\Users\Admin\AppData\Local\Temp\2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe"1⤵
- UAC bypass
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System policy modification