Analysis
-
max time kernel
151s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 19:30
Static task
static1
Behavioral task
behavioral1
Sample
ffb9b0085f81c9430338f2453ad9e6ce5bc9a57245cae6e0555599da34578f15.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ffb9b0085f81c9430338f2453ad9e6ce5bc9a57245cae6e0555599da34578f15.exe
Resource
win10v2004-20220901-en
General
-
Target
ffb9b0085f81c9430338f2453ad9e6ce5bc9a57245cae6e0555599da34578f15.exe
-
Size
140KB
-
MD5
d78ba016553c66c5e47275d5ae6ae6c5
-
SHA1
f986fab573749f26efb419309bb9241aac62cdf8
-
SHA256
ffb9b0085f81c9430338f2453ad9e6ce5bc9a57245cae6e0555599da34578f15
-
SHA512
2d33e685579a947aa2f0b239b5a1edc27c116f1fa145fc9a12ba211b77c0e5630b840c4bb8b695c7e4bf3736ab14751cdf568e9d0897385297b18fa4f2197125
-
SSDEEP
3072:v32ts5kLHPgMT9/VAG/qZ4jiIrhRHKcucchFwyzTK:vGq2jLT9/24Xic8z
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Other.res" svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
ffb9b0085f81c9430338f2453ad9e6ce5bc9a57245cae6e0555599da34578f15.exesvchost.exepid process 1628 ffb9b0085f81c9430338f2453ad9e6ce5bc9a57245cae6e0555599da34578f15.exe 856 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
ffb9b0085f81c9430338f2453ad9e6ce5bc9a57245cae6e0555599da34578f15.exepid process 1628 ffb9b0085f81c9430338f2453ad9e6ce5bc9a57245cae6e0555599da34578f15.exe 1628 ffb9b0085f81c9430338f2453ad9e6ce5bc9a57245cae6e0555599da34578f15.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
svchost.exepid process 856 svchost.exe 856 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
svchost.exedescription pid process target process PID 856 wrote to memory of 1796 856 svchost.exe ctfmon.exe PID 856 wrote to memory of 1796 856 svchost.exe ctfmon.exe PID 856 wrote to memory of 1796 856 svchost.exe ctfmon.exe PID 856 wrote to memory of 1796 856 svchost.exe ctfmon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffb9b0085f81c9430338f2453ad9e6ce5bc9a57245cae6e0555599da34578f15.exe"C:\Users\Admin\AppData\Local\Temp\ffb9b0085f81c9430338f2453ad9e6ce5bc9a57245cae6e0555599da34578f15.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: MapViewOfSection
PID:1628
-
C:\Windows\syswow64\svchost.exe"C:\Windows\syswow64\svchost.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\ctfmon.exectfmon.exe2⤵PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1284-61-0x00000000026E0000-0x00000000026E9000-memory.dmpFilesize
36KB
-
memory/1284-62-0x0000000077930000-0x0000000077AD9000-memory.dmpFilesize
1.7MB
-
memory/1284-63-0x0000000077930000-0x0000000077AD9000-memory.dmpFilesize
1.7MB
-
memory/1628-54-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/1628-55-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1628-56-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1628-57-0x00000000002A0000-0x00000000002D0000-memory.dmpFilesize
192KB
-
memory/1628-58-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1628-59-0x00000000002A0000-0x00000000002D0000-memory.dmpFilesize
192KB
-
memory/1796-64-0x0000000000000000-mapping.dmp