Analysis
-
max time kernel
148s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 23:44
Static task
static1
Behavioral task
behavioral1
Sample
747e0a45b7aa42aa1f050832f46a07c9b4be8d8f812e1f5321ebab0c6ed9a932.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
747e0a45b7aa42aa1f050832f46a07c9b4be8d8f812e1f5321ebab0c6ed9a932.exe
Resource
win10v2004-20221111-en
General
-
Target
747e0a45b7aa42aa1f050832f46a07c9b4be8d8f812e1f5321ebab0c6ed9a932.exe
-
Size
96KB
-
MD5
d50ae3b9f4ed137494ad275344c3234e
-
SHA1
a3715d6c87cbabbbfa441d1c1ba838283d43b284
-
SHA256
747e0a45b7aa42aa1f050832f46a07c9b4be8d8f812e1f5321ebab0c6ed9a932
-
SHA512
4a599c00c954abb75b30dc965bac7613889388239efc1d831238eb6e94c148045f0aaba45793e48613b8063ddfd0090033596c7b1e2b1aae7d1dcb144ea63585
-
SSDEEP
1536:2Y3sO2VIrTgked9k9tVijJ/oFuKLD/M0TYu8E6FB2ujm4G:2jO2/ld2VijJ/orplWcu
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\data.dat" svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
747e0a45b7aa42aa1f050832f46a07c9b4be8d8f812e1f5321ebab0c6ed9a932.exesvchost.exepid process 1488 747e0a45b7aa42aa1f050832f46a07c9b4be8d8f812e1f5321ebab0c6ed9a932.exe 1476 svchost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
747e0a45b7aa42aa1f050832f46a07c9b4be8d8f812e1f5321ebab0c6ed9a932.exepid process 1488 747e0a45b7aa42aa1f050832f46a07c9b4be8d8f812e1f5321ebab0c6ed9a932.exe 1488 747e0a45b7aa42aa1f050832f46a07c9b4be8d8f812e1f5321ebab0c6ed9a932.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\747e0a45b7aa42aa1f050832f46a07c9b4be8d8f812e1f5321ebab0c6ed9a932.exe"C:\Users\Admin\AppData\Local\Temp\747e0a45b7aa42aa1f050832f46a07c9b4be8d8f812e1f5321ebab0c6ed9a932.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: MapViewOfSection
PID:1488
-
C:\Windows\syswow64\svchost.exe"C:\Windows\syswow64\svchost.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1476