Analysis
-
max time kernel
181s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 19:38
Behavioral task
behavioral1
Sample
cb3ca4960d67513d53b11dadf817bf46cc2d19f2c7db598b72a6cdd0ad9be1f6.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cb3ca4960d67513d53b11dadf817bf46cc2d19f2c7db598b72a6cdd0ad9be1f6.exe
Resource
win10v2004-20221111-en
General
-
Target
cb3ca4960d67513d53b11dadf817bf46cc2d19f2c7db598b72a6cdd0ad9be1f6.exe
-
Size
31KB
-
MD5
3517a0a5fd3bc95260a7c1a758acb8d0
-
SHA1
9b50655b506d8a22be461640849cdb76fcd6fa20
-
SHA256
cb3ca4960d67513d53b11dadf817bf46cc2d19f2c7db598b72a6cdd0ad9be1f6
-
SHA512
5ecde49b15d5f63aa698f4848abcd6eae5b02651466ce1b0d3b154e5c7439c0f86dd81b0ffd1da4b5aaf5de72fa994b18c2076ceddd34c32fe966775668c13db
-
SSDEEP
768:q2u75oa4fu124AqFjXeJBKh0p29SgRjB:K75CPkj8KhG29jjB
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 4012 dw20.exe Token: SeBackupPrivilege 4012 dw20.exe Token: SeBackupPrivilege 4012 dw20.exe Token: SeBackupPrivilege 4012 dw20.exe Token: SeBackupPrivilege 4012 dw20.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cb3ca4960d67513d53b11dadf817bf46cc2d19f2c7db598b72a6cdd0ad9be1f6.exedescription pid process target process PID 2296 wrote to memory of 4012 2296 cb3ca4960d67513d53b11dadf817bf46cc2d19f2c7db598b72a6cdd0ad9be1f6.exe dw20.exe PID 2296 wrote to memory of 4012 2296 cb3ca4960d67513d53b11dadf817bf46cc2d19f2c7db598b72a6cdd0ad9be1f6.exe dw20.exe PID 2296 wrote to memory of 4012 2296 cb3ca4960d67513d53b11dadf817bf46cc2d19f2c7db598b72a6cdd0ad9be1f6.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb3ca4960d67513d53b11dadf817bf46cc2d19f2c7db598b72a6cdd0ad9be1f6.exe"C:\Users\Admin\AppData\Local\Temp\cb3ca4960d67513d53b11dadf817bf46cc2d19f2c7db598b72a6cdd0ad9be1f6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5002⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken