Analysis
-
max time kernel
168s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 08:49
Behavioral task
behavioral1
Sample
246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe
Resource
win7-20220812-en
General
-
Target
246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe
-
Size
49KB
-
MD5
437161136f557dd8aa12ae9a02492630
-
SHA1
7f943b0d89b6f7ca2eabf48a59210608857f8361
-
SHA256
246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b
-
SHA512
95bdf701b33b8993d1bfcdd75ec8da45e607f89fddc0105f5af730cf21ceb4d3589819bef734262594da319a8a2a8c930b16626d8e5ed354eb12cbc755cef42e
-
SSDEEP
1536:91QPAzA0bWaBr6Dyc+dv+MdeqvswW7WurRd3:91QPYbD6D52mFqvsn7Vd3
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4632-132-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4632-133-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4632-136-0x0000000000400000-0x0000000000416000-memory.dmp upx -
Processes:
resource yara_rule C:\Windows\SysWOW64\bnsspx.dll vmprotect -
Loads dropped DLL 1 IoCs
Processes:
246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exepid process 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe -
Drops file in System32 directory 2 IoCs
Processes:
246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exedescription ioc process File created C:\Windows\SysWOW64\bnsspx.dll 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe File opened for modification C:\Windows\SysWOW64\zmdll.lst 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exepid process 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exepid process 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe 648 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exedescription pid process Token: SeLoadDriverPrivilege 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exedescription pid process target process PID 4632 wrote to memory of 3748 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe cmd.exe PID 4632 wrote to memory of 3748 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe cmd.exe PID 4632 wrote to memory of 3748 4632 246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe"C:\Users\Admin\AppData\Local\Temp\246f8731c4021c3c9bb7cdc53f72ae98a9fa01cc38e6bddaf0db08eb2c22376b.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\uisad.bat2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\bnsspx.dllFilesize
52KB
MD5b1c65f5eee9c0ac609e79a3b7fb92bf1
SHA1a87a15f7ef332e87e34aeef19c62499957c2dceb
SHA2561d9d140865cddc93e7e021d6f185812eff1f1f19f76e6a0d90030511ff8d4037
SHA5129fb52f6b5dfc3eeff9b74d818ade74b7a4f2bb8694e89ead48c42e1994474a7b185379712424711c36a53c5fa9482a4a568fc23086f9279c5a872ac09c802d1c
-
\??\c:\uisad.batFilesize
249B
MD59cbe296331a52c92fccd3b985403c2f7
SHA1e7bd82f72516bb899e1afe9440443580445f5294
SHA256b89ff2ebcc13edb467b0247f8d7e938d8b07bf0c9cdcb21dc1d053626a18fb04
SHA512c103d76d2bfa986aabac5f8a925d5dd6bc9fbe062659e45353fec4e00780ccea0d5dacdd3b79a5252a72885ec57652bf150b34e1c4f751343d2a676bdf8778c4
-
memory/3748-135-0x0000000000000000-mapping.dmp
-
memory/4632-132-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/4632-133-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/4632-136-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB