Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-06-2023 02:47
Behavioral task
behavioral1
Sample
aaf14dba92dff1b1970e5fc870210431.exe
Resource
win7-20230220-en
General
-
Target
aaf14dba92dff1b1970e5fc870210431.exe
-
Size
203KB
-
MD5
aaf14dba92dff1b1970e5fc870210431
-
SHA1
2daf65ec83dbd11a3f963cbc66bdc5116e554e76
-
SHA256
5939c954dce802b621cc345926168eeda349c39e75cd1cd2a4104096f854d908
-
SHA512
0bd45f861331d7f8b472123c051ba936bfa3d66c1e1922f6b21206cadda030b0fbb0987c839b2413fa4a24366099762e783a774761c28dd84a1266ddef163bec
-
SSDEEP
6144:sLV6Bta6dtJmakIM5b8GL+1WUQ52F+/8Ej4ei:sLV6BtpmkXGLUcQsEEj4X
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aaf14dba92dff1b1970e5fc870210431.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Subsystem = "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe" aaf14dba92dff1b1970e5fc870210431.exe -
Processes:
aaf14dba92dff1b1970e5fc870210431.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aaf14dba92dff1b1970e5fc870210431.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
Processes:
aaf14dba92dff1b1970e5fc870210431.exedescription ioc process File created C:\Program Files (x86)\DSL Subsystem\dslss.exe aaf14dba92dff1b1970e5fc870210431.exe File opened for modification C:\Program Files (x86)\DSL Subsystem\dslss.exe aaf14dba92dff1b1970e5fc870210431.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
aaf14dba92dff1b1970e5fc870210431.exepid process 1208 aaf14dba92dff1b1970e5fc870210431.exe 1208 aaf14dba92dff1b1970e5fc870210431.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
aaf14dba92dff1b1970e5fc870210431.exepid process 1208 aaf14dba92dff1b1970e5fc870210431.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aaf14dba92dff1b1970e5fc870210431.exedescription pid process Token: SeDebugPrivilege 1208 aaf14dba92dff1b1970e5fc870210431.exe Token: SeDebugPrivilege 1208 aaf14dba92dff1b1970e5fc870210431.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
aaf14dba92dff1b1970e5fc870210431.exedescription pid process target process PID 1208 wrote to memory of 1752 1208 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe PID 1208 wrote to memory of 1752 1208 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe PID 1208 wrote to memory of 1752 1208 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe PID 1208 wrote to memory of 1752 1208 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe PID 1208 wrote to memory of 336 1208 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe PID 1208 wrote to memory of 336 1208 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe PID 1208 wrote to memory of 336 1208 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe PID 1208 wrote to memory of 336 1208 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaf14dba92dff1b1970e5fc870210431.exe"C:\Users\Admin\AppData\Local\Temp\aaf14dba92dff1b1970e5fc870210431.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DSL Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp81C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DSL Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA9D.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp81C.tmpFilesize
1KB
MD5c90e2487d6823743a2bbe9aab13029a5
SHA1af4396dbfe2b782f4875c8e87e85b3d26c0774d1
SHA256ac62e4505a02980e126bcc52cab99e2590eac7ea0f80c7d1233caff562e4e992
SHA5125f43c193de76144ed0e49aeae512099693bdd6d867565fab7b39bf63e22ce37dd3e04529a4a0cb49605f13203b43d50e1bb86f7e8a7f4359ae42a558a7175a9a
-
C:\Users\Admin\AppData\Local\Temp\tmpA9D.tmpFilesize
1KB
MD5cc41562853d473a6d8785f7887ed523f
SHA15be25b133c7a5cbc1b240822e87f3cbe94aaa312
SHA256a259d5fb27ddfee2968c9b1c1346121934b35bda37f9f446e9470a72cb95c2b7
SHA512678c59e91d604607c7a3576dcab70eac4fb6af40d9f9db799a7a9fee67a1dd306a1a8b3bc4885e46fa6ab75970bb37fd62e6dcc66c61c09413d59991f90f12fd
-
memory/1208-57-0x0000000000070000-0x00000000000B0000-memory.dmpFilesize
256KB
-
memory/1208-62-0x0000000000070000-0x00000000000B0000-memory.dmpFilesize
256KB