Analysis
-
max time kernel
150s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2023 08:16
Static task
static1
Behavioral task
behavioral1
Sample
iurdsfhgj.exe
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
iurdsfhgj.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
iurdsfhgj.exe
-
Size
1.1MB
-
MD5
8b0e574f3db376044a84cb315777dd80
-
SHA1
95a9baee9753204301faba46444cde42f724c1d6
-
SHA256
adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
-
SHA512
d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea
-
SSDEEP
12288:kyPaZ/xsHGVboPaQf9x24qyzjrDHcReh9WMKH1DAd:kymsHEkM4SePnKNW
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\iurdsfhgj.exe," reg.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 788 PING.EXE 932 PING.EXE 1800 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe 1500 iurdsfhgj.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1500 iurdsfhgj.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1500 wrote to memory of 1688 1500 iurdsfhgj.exe 27 PID 1500 wrote to memory of 1688 1500 iurdsfhgj.exe 27 PID 1500 wrote to memory of 1688 1500 iurdsfhgj.exe 27 PID 1500 wrote to memory of 1688 1500 iurdsfhgj.exe 27 PID 1688 wrote to memory of 788 1688 cmd.exe 29 PID 1688 wrote to memory of 788 1688 cmd.exe 29 PID 1688 wrote to memory of 788 1688 cmd.exe 29 PID 1688 wrote to memory of 788 1688 cmd.exe 29 PID 1500 wrote to memory of 880 1500 iurdsfhgj.exe 30 PID 1500 wrote to memory of 880 1500 iurdsfhgj.exe 30 PID 1500 wrote to memory of 880 1500 iurdsfhgj.exe 30 PID 1500 wrote to memory of 880 1500 iurdsfhgj.exe 30 PID 880 wrote to memory of 932 880 cmd.exe 32 PID 880 wrote to memory of 932 880 cmd.exe 32 PID 880 wrote to memory of 932 880 cmd.exe 32 PID 880 wrote to memory of 932 880 cmd.exe 32 PID 1688 wrote to memory of 940 1688 cmd.exe 33 PID 1688 wrote to memory of 940 1688 cmd.exe 33 PID 1688 wrote to memory of 940 1688 cmd.exe 33 PID 1688 wrote to memory of 940 1688 cmd.exe 33 PID 880 wrote to memory of 1800 880 cmd.exe 34 PID 880 wrote to memory of 1800 880 cmd.exe 34 PID 880 wrote to memory of 1800 880 cmd.exe 34 PID 880 wrote to memory of 1800 880 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\iurdsfhgj.exe"C:\Users\Admin\AppData\Local\Temp\iurdsfhgj.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe,"2⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 393⤵
- Runs ping.exe
PID:788
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe,"3⤵
- Modifies WinLogon for persistence
PID:940
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 49 > nul && copy "C:\Users\Admin\AppData\Local\Temp\iurdsfhgj.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe" && ping 127.0.0.1 -n 49 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 493⤵
- Runs ping.exe
PID:932
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 493⤵
- Runs ping.exe
PID:1800
-
-