Analysis
-
max time kernel
185s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 09:26
Behavioral task
behavioral1
Sample
69ff4448c410b7b3a031523d09f293022704c4fa.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
69ff4448c410b7b3a031523d09f293022704c4fa.exe
-
Size
202KB
-
MD5
cca3860ea40af049fdad04421188dddb
-
SHA1
69ff4448c410b7b3a031523d09f293022704c4fa
-
SHA256
3569a28adba76952d8283b35bc00518fab4c261a0d8d68edd523dd157d2df881
-
SHA512
0c107b642c1a5beabe09d1c72b8978fc5b47160556b19ce53663516856c518b3f095d418828a70c3b576bbaa66f42fff7988c568ed5ca4c4b833cef63a080370
-
SSDEEP
6144:QLV6Bta6dtJmakIM5HgCpVBVl30m8A2CSFixQfO:QLV6BtpmkWgqv3ftEFnfO
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
69ff4448c410b7b3a031523d09f293022704c4fa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files (x86)\\DSL Manager\\dslmgr.exe" 69ff4448c410b7b3a031523d09f293022704c4fa.exe -
Processes:
69ff4448c410b7b3a031523d09f293022704c4fa.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 69ff4448c410b7b3a031523d09f293022704c4fa.exe -
Drops file in Program Files directory 2 IoCs
Processes:
69ff4448c410b7b3a031523d09f293022704c4fa.exedescription ioc process File created C:\Program Files (x86)\DSL Manager\dslmgr.exe 69ff4448c410b7b3a031523d09f293022704c4fa.exe File opened for modification C:\Program Files (x86)\DSL Manager\dslmgr.exe 69ff4448c410b7b3a031523d09f293022704c4fa.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
69ff4448c410b7b3a031523d09f293022704c4fa.exepid process 4488 69ff4448c410b7b3a031523d09f293022704c4fa.exe 4488 69ff4448c410b7b3a031523d09f293022704c4fa.exe 4488 69ff4448c410b7b3a031523d09f293022704c4fa.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
69ff4448c410b7b3a031523d09f293022704c4fa.exepid process 4488 69ff4448c410b7b3a031523d09f293022704c4fa.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
69ff4448c410b7b3a031523d09f293022704c4fa.exedescription pid process Token: SeDebugPrivilege 4488 69ff4448c410b7b3a031523d09f293022704c4fa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69ff4448c410b7b3a031523d09f293022704c4fa.exe"C:\Users\Admin\AppData\Local\Temp\69ff4448c410b7b3a031523d09f293022704c4fa.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken