Analysis
-
max time kernel
3s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2023, 13:54
Static task
static1
Behavioral task
behavioral1
Sample
42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe
Resource
win10v2004-20230220-en
General
-
Target
42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe
-
Size
2.9MB
-
MD5
d88534462d1c0c26ceb886c050b49fb4
-
SHA1
2fe4f66cec538632a4c55b9439a3f9af70559505
-
SHA256
42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595
-
SHA512
1b47386e2904cf6c526c490cd9858389e3af81c7fb5248367424330c1fa2428e9b52cb20aff8471b3924ae54236dd25c0144356816f2c6658bb1a87d1b156dd1
-
SSDEEP
49152:3+SW6KVcadcY/tE+3fKhOmcK8bWfJE+kw0ypO5V4Vp0:3+5HEA8QJWfS+kFH5e
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe -
resource yara_rule behavioral2/memory/1772-142-0x0000000002CE0000-0x000000000323D000-memory.dmp upx behavioral2/memory/1772-152-0x0000000002CE0000-0x000000000323D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe" 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4932 wmic.exe Token: SeSecurityPrivilege 4932 wmic.exe Token: SeTakeOwnershipPrivilege 4932 wmic.exe Token: SeLoadDriverPrivilege 4932 wmic.exe Token: SeSystemProfilePrivilege 4932 wmic.exe Token: SeSystemtimePrivilege 4932 wmic.exe Token: SeProfSingleProcessPrivilege 4932 wmic.exe Token: SeIncBasePriorityPrivilege 4932 wmic.exe Token: SeCreatePagefilePrivilege 4932 wmic.exe Token: SeBackupPrivilege 4932 wmic.exe Token: SeRestorePrivilege 4932 wmic.exe Token: SeShutdownPrivilege 4932 wmic.exe Token: SeDebugPrivilege 4932 wmic.exe Token: SeSystemEnvironmentPrivilege 4932 wmic.exe Token: SeRemoteShutdownPrivilege 4932 wmic.exe Token: SeUndockPrivilege 4932 wmic.exe Token: SeManageVolumePrivilege 4932 wmic.exe Token: 33 4932 wmic.exe Token: 34 4932 wmic.exe Token: 35 4932 wmic.exe Token: 36 4932 wmic.exe Token: SeIncreaseQuotaPrivilege 4716 wmic.exe Token: SeSecurityPrivilege 4716 wmic.exe Token: SeTakeOwnershipPrivilege 4716 wmic.exe Token: SeLoadDriverPrivilege 4716 wmic.exe Token: SeSystemProfilePrivilege 4716 wmic.exe Token: SeSystemtimePrivilege 4716 wmic.exe Token: SeProfSingleProcessPrivilege 4716 wmic.exe Token: SeIncBasePriorityPrivilege 4716 wmic.exe Token: SeCreatePagefilePrivilege 4716 wmic.exe Token: SeBackupPrivilege 4716 wmic.exe Token: SeRestorePrivilege 4716 wmic.exe Token: SeShutdownPrivilege 4716 wmic.exe Token: SeDebugPrivilege 4716 wmic.exe Token: SeSystemEnvironmentPrivilege 4716 wmic.exe Token: SeRemoteShutdownPrivilege 4716 wmic.exe Token: SeUndockPrivilege 4716 wmic.exe Token: SeManageVolumePrivilege 4716 wmic.exe Token: 33 4716 wmic.exe Token: 34 4716 wmic.exe Token: 35 4716 wmic.exe Token: 36 4716 wmic.exe Token: SeIncreaseQuotaPrivilege 4856 wmic.exe Token: SeSecurityPrivilege 4856 wmic.exe Token: SeTakeOwnershipPrivilege 4856 wmic.exe Token: SeLoadDriverPrivilege 4856 wmic.exe Token: SeSystemProfilePrivilege 4856 wmic.exe Token: SeSystemtimePrivilege 4856 wmic.exe Token: SeProfSingleProcessPrivilege 4856 wmic.exe Token: SeIncBasePriorityPrivilege 4856 wmic.exe Token: SeCreatePagefilePrivilege 4856 wmic.exe Token: SeBackupPrivilege 4856 wmic.exe Token: SeRestorePrivilege 4856 wmic.exe Token: SeShutdownPrivilege 4856 wmic.exe Token: SeDebugPrivilege 4856 wmic.exe Token: SeSystemEnvironmentPrivilege 4856 wmic.exe Token: SeRemoteShutdownPrivilege 4856 wmic.exe Token: SeUndockPrivilege 4856 wmic.exe Token: SeManageVolumePrivilege 4856 wmic.exe Token: 33 4856 wmic.exe Token: 34 4856 wmic.exe Token: 35 4856 wmic.exe Token: 36 4856 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1772 wrote to memory of 4932 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe 79 PID 1772 wrote to memory of 4932 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe 79 PID 1772 wrote to memory of 4932 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe 79 PID 1772 wrote to memory of 4856 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe 78 PID 1772 wrote to memory of 4856 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe 78 PID 1772 wrote to memory of 4856 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe 78 PID 1772 wrote to memory of 4716 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe 77 PID 1772 wrote to memory of 4716 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe 77 PID 1772 wrote to memory of 4716 1772 42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe"C:\Users\Admin\AppData\Local\Temp\42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic diskdrive get serialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic baseboard get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic cpu get processorid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57cdb8cb8af957efc66711eb30450d71e
SHA166f313453703aa5f622e12f1cb1d4dae0e55b1a9
SHA256bce34e4b736ce0f998d70b6a67543b1412b2b29c0c7ad9f5d95ff9488356e6b4
SHA5125ad7aad720081944297bc5af16c06c97874d44958d4c2f455bf71dc80dc61bbfe5e7d43586fc7423f45004718d6aeb2f6a248a5da017d0fba5661e4e8bfac430
-
Filesize
1KB
MD50d276c6636ee961ec9c68fbea4638993
SHA1969f8ee18a0280e7978f50548482c42434c2cbac
SHA2567c0228edb377e3c550df7b801d28ddc34849958fbf5e4b249049663cc6154e62
SHA512498dd72634aea94ff1e105e65edf65a14856543482e7c3006984359e8c9d5240e464c4505e977c965ae78558e83e5c01100bdb400e4fbbc80ff3aceff62102a4
-
Filesize
1KB
MD54b956f9a4adb363fab263777a059134a
SHA1a7d8005aab5a635158fd593439b27a477b2bd1a8
SHA256f9d971f7f83d4a12fc04379237c8a81f9f0a6002557d22ce01415b6ec817f81a
SHA51268c58ab196be82ac7bd803413cfff6eb8cbe540fa96d7ab80dd3ba37636f14731335a039bd2129409789cfc7f70c598ee355eff5c34b840cb9d943fcf05c8f9c