Analysis
-
max time kernel
152s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 22:17
Behavioral task
behavioral1
Sample
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe
Resource
win10v2004-20220901-en
General
-
Target
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe
-
Size
635KB
-
MD5
f9bb77131d91d3f78bbe5a3451774c5d
-
SHA1
8fc14ed6bdcee4ccc1371cd4a47a74caea3419f5
-
SHA256
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb
-
SHA512
05d157ed6295e96b42eaff1d74cd2c59d04f8f7b5b4a6aed272e8572212f45325ae42d0b0445ce7cdb0f43f68c34437952e32b463b04a21831a90cda0e0e21aa
-
SSDEEP
12288:bpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/bB:twAcu99lPzvxP+Bsz2XjWTRMQckkIXnl
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Drivers\\sys.exe" 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe -
Drops file in Drivers directory 3 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Drivers\sys.exe 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe File opened for modification C:\Windows\SysWOW64\Drivers\ 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe File created C:\Windows\SysWOW64\Drivers\sys.exe 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Windows\\system32\\Drivers\\sys.exe" 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exedescription pid process target process PID 1464 set thread context of 1120 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe explorer.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exe433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1120 explorer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exeexplorer.exedescription pid process Token: SeIncreaseQuotaPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeSecurityPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeTakeOwnershipPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeLoadDriverPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeSystemProfilePrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeSystemtimePrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeProfSingleProcessPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeIncBasePriorityPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeCreatePagefilePrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeBackupPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeRestorePrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeShutdownPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeDebugPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeSystemEnvironmentPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeChangeNotifyPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeRemoteShutdownPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeUndockPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeManageVolumePrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeImpersonatePrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeCreateGlobalPrivilege 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: 33 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: 34 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: 35 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe Token: SeIncreaseQuotaPrivilege 1120 explorer.exe Token: SeSecurityPrivilege 1120 explorer.exe Token: SeTakeOwnershipPrivilege 1120 explorer.exe Token: SeLoadDriverPrivilege 1120 explorer.exe Token: SeSystemProfilePrivilege 1120 explorer.exe Token: SeSystemtimePrivilege 1120 explorer.exe Token: SeProfSingleProcessPrivilege 1120 explorer.exe Token: SeIncBasePriorityPrivilege 1120 explorer.exe Token: SeCreatePagefilePrivilege 1120 explorer.exe Token: SeBackupPrivilege 1120 explorer.exe Token: SeRestorePrivilege 1120 explorer.exe Token: SeShutdownPrivilege 1120 explorer.exe Token: SeDebugPrivilege 1120 explorer.exe Token: SeSystemEnvironmentPrivilege 1120 explorer.exe Token: SeChangeNotifyPrivilege 1120 explorer.exe Token: SeRemoteShutdownPrivilege 1120 explorer.exe Token: SeUndockPrivilege 1120 explorer.exe Token: SeManageVolumePrivilege 1120 explorer.exe Token: SeImpersonatePrivilege 1120 explorer.exe Token: SeCreateGlobalPrivilege 1120 explorer.exe Token: 33 1120 explorer.exe Token: 34 1120 explorer.exe Token: 35 1120 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exedescription pid process target process PID 1464 wrote to memory of 1120 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe explorer.exe PID 1464 wrote to memory of 1120 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe explorer.exe PID 1464 wrote to memory of 1120 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe explorer.exe PID 1464 wrote to memory of 1120 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe explorer.exe PID 1464 wrote to memory of 1120 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe explorer.exe PID 1464 wrote to memory of 1120 1464 433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe"C:\Users\Admin\AppData\Local\Temp\433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-55-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1120-58-0x000000000048E85C-mapping.dmp
-
memory/1120-57-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1120-59-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1120-61-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1120-62-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1120-63-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmpFilesize
8KB