Analysis
-
max time kernel
154s -
max time network
179s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 07:32
Static task
static1
Behavioral task
behavioral1
Sample
779321e4ebfec1a97a36607cbe9a8b0c3bf5ca71ee27a107482408073bd9addd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
779321e4ebfec1a97a36607cbe9a8b0c3bf5ca71ee27a107482408073bd9addd.exe
Resource
win10v2004-20221111-en
General
-
Target
779321e4ebfec1a97a36607cbe9a8b0c3bf5ca71ee27a107482408073bd9addd.exe
-
Size
98KB
-
MD5
4a1e23f92714a0a3b49d57483108a2c0
-
SHA1
d89e49d30cf60cd4c70a1f508df55b74fe044ded
-
SHA256
779321e4ebfec1a97a36607cbe9a8b0c3bf5ca71ee27a107482408073bd9addd
-
SHA512
23190b5a5ef75a2be104d8ade8edb001ce16558264dade0d12c865d8efdbc306d29b59d00869297480fa79126c96d6e3b7e4728c74fde7c3ada1fef43549469d
-
SSDEEP
1536:NRE+mYnqTva2Un6JQmbDv3cE8iYJoO2/UoCFOOAT+HVhQQ:5mYCa2YgccYthbONT+3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\data.dat" svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1912 779321e4ebfec1a97a36607cbe9a8b0c3bf5ca71ee27a107482408073bd9addd.exe 1368 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1912 779321e4ebfec1a97a36607cbe9a8b0c3bf5ca71ee27a107482408073bd9addd.exe 1912 779321e4ebfec1a97a36607cbe9a8b0c3bf5ca71ee27a107482408073bd9addd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1368 svchost.exe 1368 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1368 wrote to memory of 964 1368 svchost.exe 29 PID 1368 wrote to memory of 964 1368 svchost.exe 29 PID 1368 wrote to memory of 964 1368 svchost.exe 29 PID 1368 wrote to memory of 964 1368 svchost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\779321e4ebfec1a97a36607cbe9a8b0c3bf5ca71ee27a107482408073bd9addd.exe"C:\Users\Admin\AppData\Local\Temp\779321e4ebfec1a97a36607cbe9a8b0c3bf5ca71ee27a107482408073bd9addd.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: MapViewOfSection
PID:1912
-
C:\Windows\syswow64\svchost.exe"C:\Windows\syswow64\svchost.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\ctfmon.exectfmon.exe2⤵PID:964
-