Analysis
-
max time kernel
29s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 21:07
Static task
static1
Behavioral task
behavioral1
Sample
Triphenylarsine.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Triphenylarsine.exe
Resource
win10v2004-20230221-en
General
-
Target
Triphenylarsine.exe
-
Size
125KB
-
MD5
962068032e7d6fc2fa259d4c3c353f07
-
SHA1
87e0421776ffd5c542d8b3339b82a056813ad4ac
-
SHA256
93b7015c3a8fba2336ee4850848b4e34c58b6c8ce3b8c27f634d54f6dac093ad
-
SHA512
cd05079cb358137ebec7665ded7743422918ef776e2d81c435b52a2a644ba802f492852ede76cecf6b5bc8225d7e208dcae8c637ce35794e951527dc391f4799
-
SSDEEP
1536:zfule+tm6YLX6D0mieQeEJDDOkPWH3v5yffVwsfbrGGfo5MrsWfG6cdS3Cy18z6V:c3ieQzJnDPWXxyfishfYjbSBo6CM
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Triphenylarsine.exedescription ioc process File opened for modification \??\PhysicalDrive0 Triphenylarsine.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1044 AUDIODG.EXE Token: 33 1044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1044 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Triphenylarsine.execmd.exedescription pid process target process PID 1320 wrote to memory of 908 1320 Triphenylarsine.exe cmd.exe PID 1320 wrote to memory of 908 1320 Triphenylarsine.exe cmd.exe PID 1320 wrote to memory of 908 1320 Triphenylarsine.exe cmd.exe PID 1320 wrote to memory of 908 1320 Triphenylarsine.exe cmd.exe PID 908 wrote to memory of 292 908 cmd.exe reg.exe PID 908 wrote to memory of 292 908 cmd.exe reg.exe PID 908 wrote to memory of 292 908 cmd.exe reg.exe PID 908 wrote to memory of 292 908 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Triphenylarsine.exe"C:\Users\Admin\AppData\Local\Temp\Triphenylarsine.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f41⤵
- Suspicious use of AdjustPrivilegeToken