Analysis
-
max time kernel
30s -
max time network
56s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 11:39
Behavioral task
behavioral1
Sample
1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe
Resource
win7-20220812-en
General
-
Target
1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe
-
Size
1.6MB
-
MD5
1a4d79fe50eb94248440018bec1bf719
-
SHA1
3232c37fd23cfb74138a2bed42c38e80431b23a8
-
SHA256
1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3
-
SHA512
2018310ee887ed096e77a751c5f472f51614cc37a7c2324c4adfdbef3c0c34bc3335d64d34d09caf70f47b8b5f9b9eb44abf8a191348aa684cae2621e33686d1
-
SSDEEP
49152:Yilb849Reaeu/yiSoTwT/cHb5fuevO8OnrFACfGvBO:Yilb84+ujSoTwTUt05fGvo
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe -
Processes:
resource yara_rule behavioral1/memory/1964-54-0x0000000000400000-0x00000000006FF000-memory.dmp themida behavioral1/memory/1964-55-0x0000000000400000-0x00000000006FF000-memory.dmp themida behavioral1/memory/1964-56-0x0000000000400000-0x00000000006FF000-memory.dmp themida behavioral1/memory/1964-57-0x0000000000400000-0x00000000006FF000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkjeakshkjjs = "C:\\WINDOWS\\dkjeakshkjjs.exe" 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exepid process 1964 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe -
Drops file in Windows directory 2 IoCs
Processes:
1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exedescription ioc process File created C:\WINDOWS\dkjeakshkjjs.exe 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe File opened for modification C:\WINDOWS\dkjeakshkjjs.exe 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exepid process 1964 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exeCMD.EXEdescription pid process target process PID 1964 wrote to memory of 1652 1964 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe CMD.EXE PID 1964 wrote to memory of 1652 1964 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe CMD.EXE PID 1964 wrote to memory of 1652 1964 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe CMD.EXE PID 1964 wrote to memory of 1652 1964 1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe CMD.EXE PID 1652 wrote to memory of 1112 1652 CMD.EXE reg.exe PID 1652 wrote to memory of 1112 1652 CMD.EXE reg.exe PID 1652 wrote to memory of 1112 1652 CMD.EXE reg.exe PID 1652 wrote to memory of 1112 1652 CMD.EXE reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe"C:\Users\Admin\AppData\Local\Temp\1977efd0e8fffb1079e0cf05eb8adb9f7801f874c276945a692e073f03ae0de3.exe"1⤵
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CMD.EXECMD.EXE /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-59-0x0000000000000000-mapping.dmp
-
memory/1652-58-0x0000000000000000-mapping.dmp
-
memory/1964-54-0x0000000000400000-0x00000000006FF000-memory.dmpFilesize
3.0MB
-
memory/1964-55-0x0000000000400000-0x00000000006FF000-memory.dmpFilesize
3.0MB
-
memory/1964-56-0x0000000000400000-0x00000000006FF000-memory.dmpFilesize
3.0MB
-
memory/1964-57-0x0000000000400000-0x00000000006FF000-memory.dmpFilesize
3.0MB