Analysis
-
max time kernel
103s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:31
Static task
static1
Behavioral task
behavioral1
Sample
892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
Resource
win10v2004-20220901-en
General
-
Target
892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
-
Size
3.2MB
-
MD5
b7a3810e62d2154b356267f64746d0cb
-
SHA1
f80e3f795beb0003c38d5dfc0544f0a677f01c6e
-
SHA256
892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5
-
SHA512
11594d377ee238d365c4250842ed51750abd8369e592bf34f0ec1b166f273f68733716b6f9d0f494d6bf27205dbf1b38a46fb833078383862c30649d8f1c989d
-
SSDEEP
98304:HityitqjVG2Dj8eGp3FjnANhDB8bdeZZu26mSUstHJii:HTFj8jp3FjAvOe4fmcpj
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
kill.exepid process 940 kill.exe -
Processes:
resource yara_rule C:\kill.exe upx behavioral1/memory/940-61-0x0000000000400000-0x00000000006B4000-memory.dmp upx behavioral1/memory/940-62-0x0000000000400000-0x00000000006B4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchosts = "C:\\Windows\\System32\\svchosts.exe" 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\System32\\svchosts.exe" 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe -
Drops file in System32 directory 2 IoCs
Processes:
892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exedescription ioc process File created C:\Windows\SysWOW64\svchosts.exe 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exepid process 1352 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kill.exedescription pid process Token: SeShutdownPrivilege 940 kill.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
kill.exe892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exepid process 940 kill.exe 940 kill.exe 1352 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe 1352 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.execmd.exedescription pid process target process PID 1352 wrote to memory of 940 1352 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe kill.exe PID 1352 wrote to memory of 940 1352 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe kill.exe PID 1352 wrote to memory of 940 1352 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe kill.exe PID 1352 wrote to memory of 940 1352 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe kill.exe PID 1352 wrote to memory of 1400 1352 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe cmd.exe PID 1352 wrote to memory of 1400 1352 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe cmd.exe PID 1352 wrote to memory of 1400 1352 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe cmd.exe PID 1352 wrote to memory of 1400 1352 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe cmd.exe PID 1400 wrote to memory of 916 1400 cmd.exe reg.exe PID 1400 wrote to memory of 916 1400 cmd.exe reg.exe PID 1400 wrote to memory of 916 1400 cmd.exe reg.exe PID 1400 wrote to memory of 916 1400 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe"C:\Users\Admin\AppData\Local\Temp\892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\kill.exec:\kill.exe /nogui c:\kill.txt2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\kill.exeFilesize
714KB
MD530f3680e007d924960fd65524de36601
SHA123f1e67e28052188432d2031335a79cb5ae72a8f
SHA2566485271fe48f7be4cb49735c60fa4cf2ff52f235e2b24bfba22df6ea75fda1d7
SHA51233323b60353430962ef0e07dd166625ae8cb1d2080f75859d35cf0c807d146ccd7272feef37ebbe8ce77f988658ef0dee6602f9b1bcf429cd0c1898862b5091a
-
\??\c:\kill.txtFilesize
2KB
MD5cea2b4fcf88300dfe8bcb5ca0ae763b1
SHA107a03da97fce66eca11f164e6c327510dbed0c34
SHA256a92290ff7c8b37d014692b98468701dca658bba1de0fe85d6e57cdc75bd81dcd
SHA512ff1503eb33850e201146a402bf528a92b1b13a8df276ed2beea4c73a0017a4622d88ead0a5cdafaffc89b91f6fb5eeef9ca2a4d79411ab9d5db5d4086f39d213
-
memory/916-64-0x0000000000000000-mapping.dmp
-
memory/940-56-0x0000000000000000-mapping.dmp
-
memory/940-58-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/940-61-0x0000000000400000-0x00000000006B4000-memory.dmpFilesize
2.7MB
-
memory/940-62-0x0000000000400000-0x00000000006B4000-memory.dmpFilesize
2.7MB
-
memory/1352-54-0x0000000000400000-0x0000000001FB4000-memory.dmpFilesize
27.7MB
-
memory/1352-55-0x0000000000400000-0x0000000001FB4000-memory.dmpFilesize
27.7MB
-
memory/1352-60-0x0000000004880000-0x0000000004B34000-memory.dmpFilesize
2.7MB
-
memory/1352-66-0x0000000004880000-0x0000000004B34000-memory.dmpFilesize
2.7MB
-
memory/1400-63-0x0000000000000000-mapping.dmp