Analysis
-
max time kernel
168s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:53
Static task
static1
Behavioral task
behavioral1
Sample
ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe
Resource
win10v2004-20220812-en
General
-
Target
ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe
-
Size
637KB
-
MD5
24c87d15d3655c8efdf3b0bcc8ad8c43
-
SHA1
dc3d8efe0eba85c8f2a7dd7259fca6d1420f1ebd
-
SHA256
ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977
-
SHA512
3b7b0fa8a390f0d35f96729dc7cc7c248624a78c83ac40bf7b651b65205d03438c15856cee58c3e49051f7c28b2ed803dcd0919208aecf00d242693955fe157b
-
SSDEEP
12288:qVd802EFXB2l4qIVm/hmx6dX1Yit4bCDPwrIuZAoXQna/KXpSH8qP2G3AHSXkG:s831IVm/hbX1Yit4b3dZAoXQnxwH8qe8
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 756 dw20.exe Token: SeBackupPrivilege 756 dw20.exe Token: SeBackupPrivilege 756 dw20.exe Token: SeBackupPrivilege 756 dw20.exe Token: SeBackupPrivilege 756 dw20.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exedescription pid process target process PID 5096 wrote to memory of 756 5096 ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe dw20.exe PID 5096 wrote to memory of 756 5096 ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe dw20.exe PID 5096 wrote to memory of 756 5096 ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe"C:\Users\Admin\AppData\Local\Temp\ceef94b0ad6d02fbdc90067c34cbff4c20b22ee4158969228867dd5f05265977.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8602⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken