Analysis
-
max time kernel
153s -
max time network
193s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 23:57
Static task
static1
Behavioral task
behavioral1
Sample
4935dbb127d3a2bd15b45b6680e21f156d5227d60b9fa87dbc36ccce053529a6.exe
Resource
win7-20221111-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
4935dbb127d3a2bd15b45b6680e21f156d5227d60b9fa87dbc36ccce053529a6.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
4935dbb127d3a2bd15b45b6680e21f156d5227d60b9fa87dbc36ccce053529a6.exe
-
Size
58KB
-
MD5
fb0b9ce22fb5f20dda1297d67a5439cf
-
SHA1
9eaa4a4f427e52ad2a9716abfae1b21d31e5dc3c
-
SHA256
4935dbb127d3a2bd15b45b6680e21f156d5227d60b9fa87dbc36ccce053529a6
-
SHA512
8483f4ae2ddcf2b04e0b1334034039b54d958b9ef93499cf76b64ada8f60abb072f3d4c4e573b63579abc51f6478e859966dc1c6484586a2e396dccfb004b461
-
SSDEEP
1536:ui4BAVsJpVOSEYPPwYYLUis5um5D9/5IcnJ5MiL:uiU+YNh1uPWuo1J9
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\cache.dat" svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2004 4935dbb127d3a2bd15b45b6680e21f156d5227d60b9fa87dbc36ccce053529a6.exe 768 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe 768 svchost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2004 4935dbb127d3a2bd15b45b6680e21f156d5227d60b9fa87dbc36ccce053529a6.exe 2004 4935dbb127d3a2bd15b45b6680e21f156d5227d60b9fa87dbc36ccce053529a6.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 768 svchost.exe 768 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 768 wrote to memory of 1508 768 svchost.exe 29 PID 768 wrote to memory of 1508 768 svchost.exe 29 PID 768 wrote to memory of 1508 768 svchost.exe 29 PID 768 wrote to memory of 1508 768 svchost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4935dbb127d3a2bd15b45b6680e21f156d5227d60b9fa87dbc36ccce053529a6.exe"C:\Users\Admin\AppData\Local\Temp\4935dbb127d3a2bd15b45b6680e21f156d5227d60b9fa87dbc36ccce053529a6.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: MapViewOfSection
PID:2004
-
C:\Windows\syswow64\svchost.exe"C:\Windows\syswow64\svchost.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\ctfmon.exectfmon.exe2⤵PID:1508
-