Analysis
-
max time kernel
153s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:24
Static task
static1
Behavioral task
behavioral1
Sample
sita.exe
Resource
win7-20221111-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
sita.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
sita.exe
-
Size
331KB
-
MD5
a01b9095e1c5b24279bf4b8587f0f156
-
SHA1
1acb07c459f20bbfb7aaa8289b63bba5eda7bb2c
-
SHA256
34b2479724a8efe6d04236305e15342378dca7ff5677a48b2943404b36e229fe
-
SHA512
f52c9f3263ac04ba803c0d564c6285adc80b4e84c95ccf88ca4812994fa82a60d65a7be6671ac762c0ec693c10b051e0733aa63689dad7e356ff0fda713f0b50
-
SSDEEP
6144:qlBswxp0yoxVGuvM/OHgyGFVzC+j5wGuGGbGmGOG2yG+GXGkGuGGpGGIGGHGGjGM:qlZpYMuvMKvGFVx2Wvo
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
sita.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\RealtekHD\\GfFjdFQKvxht.exe\",explorer.exe" sita.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
sita.exedescription pid process target process PID 2036 set thread context of 1000 2036 sita.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
vbc.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
sita.exepid process 2036 sita.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
sita.exedescription pid process Token: SeDebugPrivilege 2036 sita.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
sita.exedescription pid process target process PID 2036 wrote to memory of 1000 2036 sita.exe vbc.exe PID 2036 wrote to memory of 1000 2036 sita.exe vbc.exe PID 2036 wrote to memory of 1000 2036 sita.exe vbc.exe PID 2036 wrote to memory of 1000 2036 sita.exe vbc.exe PID 2036 wrote to memory of 1000 2036 sita.exe vbc.exe PID 2036 wrote to memory of 1000 2036 sita.exe vbc.exe PID 2036 wrote to memory of 1000 2036 sita.exe vbc.exe PID 2036 wrote to memory of 1000 2036 sita.exe vbc.exe PID 2036 wrote to memory of 1000 2036 sita.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sita.exe"C:\Users\Admin\AppData\Local\Temp\sita.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Drops file in Windows directory
PID:1000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1000-65-0x0000000000401F8F-mapping.dmp
-
memory/1000-58-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1000-59-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1000-61-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1000-63-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1000-64-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1000-68-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1000-69-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1000-70-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2036-55-0x00000000747D0000-0x0000000074D7B000-memory.dmpFilesize
5.7MB
-
memory/2036-56-0x00000000747D0000-0x0000000074D7B000-memory.dmpFilesize
5.7MB
-
memory/2036-57-0x00000000006C5000-0x00000000006D6000-memory.dmpFilesize
68KB
-
memory/2036-54-0x0000000076381000-0x0000000076383000-memory.dmpFilesize
8KB