Analysis
-
max time kernel
191s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:24
Static task
static1
Behavioral task
behavioral1
Sample
sita.exe
Resource
win7-20221111-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
sita.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
sita.exe
-
Size
331KB
-
MD5
a01b9095e1c5b24279bf4b8587f0f156
-
SHA1
1acb07c459f20bbfb7aaa8289b63bba5eda7bb2c
-
SHA256
34b2479724a8efe6d04236305e15342378dca7ff5677a48b2943404b36e229fe
-
SHA512
f52c9f3263ac04ba803c0d564c6285adc80b4e84c95ccf88ca4812994fa82a60d65a7be6671ac762c0ec693c10b051e0733aa63689dad7e356ff0fda713f0b50
-
SSDEEP
6144:qlBswxp0yoxVGuvM/OHgyGFVzC+j5wGuGGbGmGOG2yG+GXGkGuGGpGGIGGHGGjGM:qlZpYMuvMKvGFVx2Wvo
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
sita.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\RealtekHD\\DB7l0fNdqpA4.exe\",explorer.exe" sita.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
sita.exedescription pid process target process PID 3800 set thread context of 4976 3800 sita.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
vbc.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sita.exepid process 3800 sita.exe 3800 sita.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
sita.exedescription pid process Token: SeDebugPrivilege 3800 sita.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
sita.exedescription pid process target process PID 3800 wrote to memory of 4976 3800 sita.exe vbc.exe PID 3800 wrote to memory of 4976 3800 sita.exe vbc.exe PID 3800 wrote to memory of 4976 3800 sita.exe vbc.exe PID 3800 wrote to memory of 4976 3800 sita.exe vbc.exe PID 3800 wrote to memory of 4976 3800 sita.exe vbc.exe PID 3800 wrote to memory of 4976 3800 sita.exe vbc.exe PID 3800 wrote to memory of 4976 3800 sita.exe vbc.exe PID 3800 wrote to memory of 4976 3800 sita.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sita.exe"C:\Users\Admin\AppData\Local\Temp\sita.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Drops file in Windows directory
PID:4976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3800-132-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/3800-133-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/4976-134-0x0000000000000000-mapping.dmp
-
memory/4976-135-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4976-137-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4976-138-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4976-139-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB