Analysis
-
max time kernel
177s -
max time network
232s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 12:34
Static task
static1
Behavioral task
behavioral1
Sample
2715c9230783174b4dad156d910ab5ece14e002dfee06fb1440496a916c42e64.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2715c9230783174b4dad156d910ab5ece14e002dfee06fb1440496a916c42e64.exe
Resource
win10v2004-20221111-en
General
-
Target
2715c9230783174b4dad156d910ab5ece14e002dfee06fb1440496a916c42e64.exe
-
Size
21KB
-
MD5
12761f69e94e1639f0f81115500aac5a
-
SHA1
efd1da6e7240fd65e53422d6a0d120ac069e849d
-
SHA256
2715c9230783174b4dad156d910ab5ece14e002dfee06fb1440496a916c42e64
-
SHA512
7bb2b928d43932dce8140df246a87bf57c2e665f0f6c6e1c9ecf62682ae8d6e97e4fb32025af57a3685c8defa80d3eb02a91966ae40a8e3d4abe4a34818ba0fa
-
SSDEEP
384:jlFC2mTlcxf1uuPcaQbLf45sQf0yi8hR00z:jlFC2mTw0uUX+pz
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dw20.exedescription pid process Token: SeBackupPrivilege 2964 dw20.exe Token: SeBackupPrivilege 2964 dw20.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2715c9230783174b4dad156d910ab5ece14e002dfee06fb1440496a916c42e64.exedescription pid process target process PID 3316 wrote to memory of 2964 3316 2715c9230783174b4dad156d910ab5ece14e002dfee06fb1440496a916c42e64.exe dw20.exe PID 3316 wrote to memory of 2964 3316 2715c9230783174b4dad156d910ab5ece14e002dfee06fb1440496a916c42e64.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2715c9230783174b4dad156d910ab5ece14e002dfee06fb1440496a916c42e64.exe"C:\Users\Admin\AppData\Local\Temp\2715c9230783174b4dad156d910ab5ece14e002dfee06fb1440496a916c42e64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 15162⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2964