Analysis
-
max time kernel
38s -
max time network
42s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
07-01-2023 08:59
Behavioral task
behavioral1
Sample
Resource.bin
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
Run.vbs
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
WindowsService.exe
Resource
win10-20220901-en
Behavioral task
behavioral4
Sample
import.reg
Resource
win10-20220812-en
Behavioral task
behavioral5
Sample
md5.txt
Resource
win10-20220812-en
Behavioral task
behavioral6
Sample
updatebackend.log
Resource
win10-20220812-en
General
-
Target
WindowsService.exe
-
Size
5.3MB
-
MD5
1d7d93fa84ba7c5a5c8b1d62acbb048d
-
SHA1
d8048fc1e77eca832eab8b809181c3f07fc34cc5
-
SHA256
6d346056c766ed477967601425a4d162d15d429977910083c8a8bdd0d0c1c005
-
SHA512
f751d92782c230be153bd11431601f341cc5156dad1f99eb801e8ca0ad22513dfb8225d9fd7e3984b46749bf50a331d511072fe6c48bbac05da5cdf54128daa4
-
SSDEEP
98304:AW3PlQ/t+WURgaZKI2MSJCeUGHopP1B7OJyaEooPNkAFf9v:1Gl+mZJnosMFHDh
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral3/memory/3064-120-0x0000000140000000-0x0000000140908000-memory.dmp vmprotect behavioral3/memory/3064-122-0x0000000140000000-0x0000000140908000-memory.dmp vmprotect -
Drops file in System32 directory 1 IoCs
Processes:
WindowsService.exedescription ioc process File created C:\Windows\System32\WinRing0x64.sys WindowsService.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
WindowsService.exepid process 3064 WindowsService.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WindowsService.exepid process 3064 WindowsService.exe 3064 WindowsService.exe 3064 WindowsService.exe 3064 WindowsService.exe