Analysis
-
max time kernel
70s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 08:19
Static task
static1
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20220812-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
Server.exe
-
Size
150KB
-
MD5
0f367fce0c77e594ec09f105ded2503a
-
SHA1
fba1dd99300e2c9d574a4afa976590b6da35ee50
-
SHA256
120edd37142c24d17472137c608220220a4efb595d42a991efd498ac30339b4e
-
SHA512
a8a6d855805f9e223478191577bbe981d09b988fdb20c64fa62431587b122424b2d868f82feaeb3e5be6e4aa49ccc3cf842c592ead2d8c645f497f1b69764f3f
-
SSDEEP
3072:+FhkwDd+B2lf1oJWT9RMkjWyqQuRN4GepKsqL4:+Pk0d+Bo6JWT93q9/4
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 4568 dw20.exe Token: SeBackupPrivilege 4568 dw20.exe Token: SeBackupPrivilege 4568 dw20.exe Token: SeBackupPrivilege 4568 dw20.exe Token: SeBackupPrivilege 4568 dw20.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Server.exedescription pid process target process PID 2828 wrote to memory of 4568 2828 Server.exe dw20.exe PID 2828 wrote to memory of 4568 2828 Server.exe dw20.exe PID 2828 wrote to memory of 4568 2828 Server.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8722⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken