Analysis
-
max time kernel
23s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 21:07
Static task
static1
Behavioral task
behavioral1
Sample
Triphenylarsine.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Triphenylarsine.exe
Resource
win10v2004-20230221-en
General
-
Target
Triphenylarsine.exe
-
Size
125KB
-
MD5
962068032e7d6fc2fa259d4c3c353f07
-
SHA1
87e0421776ffd5c542d8b3339b82a056813ad4ac
-
SHA256
93b7015c3a8fba2336ee4850848b4e34c58b6c8ce3b8c27f634d54f6dac093ad
-
SHA512
cd05079cb358137ebec7665ded7743422918ef776e2d81c435b52a2a644ba802f492852ede76cecf6b5bc8225d7e208dcae8c637ce35794e951527dc391f4799
-
SSDEEP
1536:zfule+tm6YLX6D0mieQeEJDDOkPWH3v5yffVwsfbrGGfo5MrsWfG6cdS3Cy18z6V:c3ieQzJnDPWXxyfishfYjbSBo6CM
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Triphenylarsine.exedescription ioc process File opened for modification \??\PhysicalDrive0 Triphenylarsine.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 4708 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4708 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Triphenylarsine.execmd.exedescription pid process target process PID 4428 wrote to memory of 232 4428 Triphenylarsine.exe cmd.exe PID 4428 wrote to memory of 232 4428 Triphenylarsine.exe cmd.exe PID 4428 wrote to memory of 232 4428 Triphenylarsine.exe cmd.exe PID 232 wrote to memory of 32 232 cmd.exe reg.exe PID 232 wrote to memory of 32 232 cmd.exe reg.exe PID 232 wrote to memory of 32 232 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Triphenylarsine.exe"C:\Users\Admin\AppData\Local\Temp\Triphenylarsine.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b4 0x44c1⤵
- Suspicious use of AdjustPrivilegeToken