Analysis
-
max time kernel
114s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 09:27
Static task
static1
Behavioral task
behavioral1
Sample
5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe
Resource
win10v2004-20220812-en
General
-
Target
5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe
-
Size
31.8MB
-
MD5
34e165db7781fdb98ffbdb89950013f9
-
SHA1
b2bc9495bb13ee35f4b07ccaf1ba706e05f50f7c
-
SHA256
5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf
-
SHA512
fdc5217dad8a140fe4e2fc7db167638ef9f60b4de441803d07afc04371119dc8243650d62ab89d45a866135df08319115b680c4b0004bd6ae5446cc4dff80153
-
SSDEEP
393216:qyJXk2mMuOjiYOj257OUF3og0zHie8+ZqUCd1CPwDv3uFKhBrqW4tLFDoe:XJXk2/I29XF3og0Oe3Llt
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe," 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe -
Drops file in Drivers directory 1 IoCs
Processes:
5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe -
Executes dropped EXE 1 IoCs
Processes:
kiosk_net.dllpid process 1552 kiosk_net.dll -
Loads dropped DLL 1 IoCs
Processes:
5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exepid process 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exekiosk_net.dllpid process 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1552 kiosk_net.dll 1552 kiosk_net.dll 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1552 kiosk_net.dll 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kiosk_net.dlldescription pid process Token: SeDebugPrivilege 1552 kiosk_net.dll -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exedescription pid process target process PID 1912 wrote to memory of 1552 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe kiosk_net.dll PID 1912 wrote to memory of 1552 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe kiosk_net.dll PID 1912 wrote to memory of 1552 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe kiosk_net.dll PID 1912 wrote to memory of 1552 1912 5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe kiosk_net.dll
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe"C:\Users\Admin\AppData\Local\Temp\5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kiosk_net.dllC:\Users\Admin\AppData\Local\Temp\kiosk_net.dll2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kiosk_net.dllFilesize
9.5MB
MD54235a683791056699f2e1d0cc3e66f36
SHA150bd581079e1e6c90d4d81bab3e484a662b96b0d
SHA2565bad8d0e2b48f45585fc8e1e2f7a551bd1cfccc3d259ce09c0c49003f66ace33
SHA5127c836fe1dc4ab9d8bd5feefc16cd6514fae23d38c34a741b02c5ea7deacb2c1d69de5c13e2173183b65254766ef4c6da6631ffd95caf5a862f582144c95d1d13
-
\Users\Admin\AppData\Local\Temp\kiosk_net.dllFilesize
9.5MB
MD54235a683791056699f2e1d0cc3e66f36
SHA150bd581079e1e6c90d4d81bab3e484a662b96b0d
SHA2565bad8d0e2b48f45585fc8e1e2f7a551bd1cfccc3d259ce09c0c49003f66ace33
SHA5127c836fe1dc4ab9d8bd5feefc16cd6514fae23d38c34a741b02c5ea7deacb2c1d69de5c13e2173183b65254766ef4c6da6631ffd95caf5a862f582144c95d1d13
-
memory/1552-56-0x0000000000000000-mapping.dmp
-
memory/1552-59-0x0000000000400000-0x0000000002E54000-memory.dmpFilesize
42.3MB
-
memory/1912-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB