Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 07:39
Static task
static1
Behavioral task
behavioral1
Sample
aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe
Resource
win7-20221111-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe
-
Size
484KB
-
MD5
ac6b71abcb71f997af10d48897742e31
-
SHA1
a9e33a13e9502e004aaa8d2a2c51845be8d0b91a
-
SHA256
aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b
-
SHA512
0617f1e4471e121de6548a3fc4e32d5d44782231d0a9b0b88fa91578a62baaf2e942c7e1e4e50e6ec8d5c20179a2fbdd100fb137e893bbd3d7d366fc4ca7bcd5
-
SSDEEP
6144:oezaXW78iefMEUbEKi1mSI1c19sCzyApRI2Ff491eVHY:oW87EEUIv8S/++A91CH
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 936 ebxNraYfaQsogLK.exe -
Deletes itself 1 IoCs
pid Process 936 ebxNraYfaQsogLK.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Process not Found File created C:\Windows\system32\config\systemprofile\AppData\Local\f5e83w4ef.dat Process not Found File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\f5e83w4ef.dat Process not Found -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\ebxNraYfaQsogLK.exe aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B8CA7BE-1633-4594-8014-F7E3DDBB4033}\WpadDecisionTime = 6007ae0cdd02d901 Process not Found Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-77-05-40-df-35 Process not Found Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B8CA7BE-1633-4594-8014-F7E3DDBB4033}\WpadDecisionReason = "1" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B8CA7BE-1633-4594-8014-F7E3DDBB4033}\WpadDecision = "0" Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B8CA7BE-1633-4594-8014-F7E3DDBB4033}\WpadNetworkName = "Network 2" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-77-05-40-df-35\WpadDecisionReason = "1" Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-77-05-40-df-35\WpadDecisionTime = 6007ae0cdd02d901 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Process not Found Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B8CA7BE-1633-4594-8014-F7E3DDBB4033}\9e-77-05-40-df-35 Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-77-05-40-df-35\WpadDecision = "0" Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Process not Found Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1B8CA7BE-1633-4594-8014-F7E3DDBB4033} Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2040 aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe 936 ebxNraYfaQsogLK.exe 936 ebxNraYfaQsogLK.exe 936 ebxNraYfaQsogLK.exe 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found 576 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 936 ebxNraYfaQsogLK.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2040 aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe Token: SeDebugPrivilege 936 ebxNraYfaQsogLK.exe Token: SeDebugPrivilege 576 Process not Found -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2040 aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe 936 ebxNraYfaQsogLK.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2040 wrote to memory of 936 2040 aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe 28 PID 2040 wrote to memory of 936 2040 aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe 28 PID 2040 wrote to memory of 936 2040 aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe 28 PID 2040 wrote to memory of 936 2040 aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe"C:\Users\Admin\AppData\Local\Temp\aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\ebxNraYfaQsogLK.exeC:\Users\Admin\AppData\Local\Temp\aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b.exe2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:936
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD5ac6b71abcb71f997af10d48897742e31
SHA1a9e33a13e9502e004aaa8d2a2c51845be8d0b91a
SHA256aaa11454c7bcb0990f913dcce90fa948b6463514650494fbe0702c0008edda2b
SHA5120617f1e4471e121de6548a3fc4e32d5d44782231d0a9b0b88fa91578a62baaf2e942c7e1e4e50e6ec8d5c20179a2fbdd100fb137e893bbd3d7d366fc4ca7bcd5