Analysis
-
max time kernel
151s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 07:05
Behavioral task
behavioral1
Sample
804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
General
-
Target
804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe
-
Size
400KB
-
MD5
ea48a9ca64f7418365b9604aa7a97aeb
-
SHA1
795340a02494d3ff0406e5139fa4027189912676
-
SHA256
804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78
-
SHA512
e04b7eb4e10bdf4f8babbae1439f6a78e6e8721bb7c47301eafe1a5e410abdf8bf604aa89db53409eba2a76bacd6f636a77169e15f4b73106eadaa3cee00f7ac
-
SSDEEP
6144:HJqr5L3BT9qj8tfRlIgVVu+z1J+x3DdHO2kju9m8nlm96+igw:HJ03BBFdXrj53+ZRHOvjumclnxB
Malware Config
Signatures
-
Drops file in Drivers directory 64 IoCs
Processes:
804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exedescription ioc process File opened for modification C:\Windows\System32\drivers\ndfltr.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\SDFRd.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\SerCx.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\Acx01000.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\sbp2port.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\dam.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\lsi_sas3i.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\rassstp.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\stornvme.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\winmad.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\applockerfltr.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\hvservice.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\sisraid4.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\usbohci.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\BTHUSB.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\EhStorTcgDrv.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\tpm.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\WpdUpFltr.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\DRIVERS\ndistapi.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\Drivers\UcmTcpciCx.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\Microsoft.Bluetooth.Legacy.LEEnumerator.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\winnat.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\amdppm.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\ipnat.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\buttonconverter.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\cht4sx64.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\CmBatt.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\IndirectKmd.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\MbbCx.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\MSPQM.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\udecx.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\DRIVERS\ramdisk.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\ucx01000.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\3ware.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\intelide.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\nvdimm.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\rdpdr.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\UsbHub3.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\WudfPf.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\BTHMINI.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\umpass.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\usbaudio.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\usbccgp.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\AgileVpn.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\DRIVERS\rasacd.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\WUDFRd.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\ADP80XX.SYS 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\mshidumdf.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\Drivers\MsRPC.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\tunnel.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\atapi.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\portcfg.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\appid.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\iaStorV.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\NdisImPlatform.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\storufs.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\terminpt.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\wacompen.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\acpitime.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\Drivers\Beep.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\BthA2dp.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\ItSas35i.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\system32\drivers\PktMon.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\drivers\vmstorfl.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe -
Processes:
resource yara_rule behavioral2/memory/1612-132-0x0000000000400000-0x00000000004AA000-memory.dmp vmprotect behavioral2/memory/1612-134-0x0000000000400000-0x00000000004AA000-memory.dmp vmprotect behavioral2/memory/1612-135-0x0000000000400000-0x00000000004AA000-memory.dmp vmprotect -
Processes:
804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe -
Drops file in System32 directory 6 IoCs
Processes:
804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exepid process 1612 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe 1612 804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe"C:\Users\Admin\AppData\Local\Temp\804c907fc99134e018d6fcb4371b65826633c0184f8976fe4a24d19803203d78.exe"1⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx