Analysis
-
max time kernel
150s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 05:51
Static task
static1
Behavioral task
behavioral1
Sample
81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe
-
Size
150KB
-
MD5
db1515716c35b284c4a3d3dcd8824e9f
-
SHA1
606663f351e0561924d5bef0615dc61019551daf
-
SHA256
81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c
-
SHA512
dcb6794515a1e27b32f2a40a3462c25edba4d49add9cf68afaa02bf221e971993cca90de7ee385db768e8465c4ff845337a454eb6da5916dcc011253c56be2cd
-
SSDEEP
3072:wWP56lQojsw6AtswaMTHSsoC5oKb20yuy5vfoVR:dzxe/ZkwGvwVR
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dllhost = "C:\\Windows\\system32\\dmw\\dllhost.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dllhost = "C:\\Windows\\system32\\dmw\\dllhost.exe" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q0P4U32S-07MY-85R3-63YF-N010418014LO} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q0P4U32S-07MY-85R3-63YF-N010418014LO}\StubPath = "C:\\Windows\\system32\\dmw\\dllhost.exe Restart" explorer.exe -
resource yara_rule behavioral1/memory/1640-56-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1640-58-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1640-59-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1640-62-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1640-65-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1640-66-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1640-68-0x0000000010410000-0x0000000010446000-memory.dmp upx behavioral1/memory/1640-73-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1640-76-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1640-79-0x0000000010450000-0x0000000010486000-memory.dmp upx behavioral1/memory/1640-85-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1984-84-0x0000000010450000-0x0000000010486000-memory.dmp upx behavioral1/memory/1984-86-0x0000000010450000-0x0000000010486000-memory.dmp upx behavioral1/memory/1984-87-0x0000000010450000-0x0000000010486000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Windows\\system32\\dmw\\dllhost.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Windows\\system32\\dmw\\dllhost.exe" explorer.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmw\dllhost.exe explorer.exe File opened for modification C:\Windows\SysWOW64\dmw\dllhost.exe explorer.exe File opened for modification C:\Windows\SysWOW64\dmw\plugin.dat explorer.exe File opened for modification C:\Windows\SysWOW64\dmw\ explorer.exe File created C:\Windows\SysWOW64\dmw\logs.dat explorer.exe File opened for modification C:\Windows\SysWOW64\dmw\logs.dat explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1376 set thread context of 1640 1376 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 28 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1984 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe Token: SeDebugPrivilege 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe Token: SeRestorePrivilege 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe Token: SeBackupPrivilege 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe Token: SeDebugPrivilege 1984 explorer.exe Token: SeDebugPrivilege 1984 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1376 wrote to memory of 1640 1376 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 28 PID 1376 wrote to memory of 1640 1376 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 28 PID 1376 wrote to memory of 1640 1376 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 28 PID 1376 wrote to memory of 1640 1376 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 28 PID 1376 wrote to memory of 1640 1376 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 28 PID 1376 wrote to memory of 1640 1376 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 28 PID 1376 wrote to memory of 1640 1376 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 28 PID 1376 wrote to memory of 1640 1376 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 28 PID 1376 wrote to memory of 1640 1376 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 28 PID 1376 wrote to memory of 1640 1376 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 28 PID 1376 wrote to memory of 1640 1376 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 28 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13 PID 1640 wrote to memory of 1384 1640 81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe 13
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe"C:\Users\Admin\AppData\Local\Temp\81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe"C:\Users\Admin\AppData\Local\Temp\81955b2523c1e54755b3f2d71f379d591daf7bae462f22758c15d5880532c99c.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
-