Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2023 02:47
Behavioral task
behavioral1
Sample
aaf14dba92dff1b1970e5fc870210431.exe
Resource
win7-20230220-en
General
-
Target
aaf14dba92dff1b1970e5fc870210431.exe
-
Size
203KB
-
MD5
aaf14dba92dff1b1970e5fc870210431
-
SHA1
2daf65ec83dbd11a3f963cbc66bdc5116e554e76
-
SHA256
5939c954dce802b621cc345926168eeda349c39e75cd1cd2a4104096f854d908
-
SHA512
0bd45f861331d7f8b472123c051ba936bfa3d66c1e1922f6b21206cadda030b0fbb0987c839b2413fa4a24366099762e783a774761c28dd84a1266ddef163bec
-
SSDEEP
6144:sLV6Bta6dtJmakIM5b8GL+1WUQ52F+/8Ej4ei:sLV6BtpmkXGLUcQsEEj4X
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aaf14dba92dff1b1970e5fc870210431.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Host = "C:\\Program Files (x86)\\DPI Host\\dpihost.exe" aaf14dba92dff1b1970e5fc870210431.exe -
Processes:
aaf14dba92dff1b1970e5fc870210431.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aaf14dba92dff1b1970e5fc870210431.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
Processes:
aaf14dba92dff1b1970e5fc870210431.exedescription ioc process File created C:\Program Files (x86)\DPI Host\dpihost.exe aaf14dba92dff1b1970e5fc870210431.exe File opened for modification C:\Program Files (x86)\DPI Host\dpihost.exe aaf14dba92dff1b1970e5fc870210431.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3972 schtasks.exe 2848 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
aaf14dba92dff1b1970e5fc870210431.exepid process 1788 aaf14dba92dff1b1970e5fc870210431.exe 1788 aaf14dba92dff1b1970e5fc870210431.exe 1788 aaf14dba92dff1b1970e5fc870210431.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
aaf14dba92dff1b1970e5fc870210431.exepid process 1788 aaf14dba92dff1b1970e5fc870210431.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aaf14dba92dff1b1970e5fc870210431.exedescription pid process Token: SeDebugPrivilege 1788 aaf14dba92dff1b1970e5fc870210431.exe Token: SeDebugPrivilege 1788 aaf14dba92dff1b1970e5fc870210431.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aaf14dba92dff1b1970e5fc870210431.exedescription pid process target process PID 1788 wrote to memory of 3972 1788 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe PID 1788 wrote to memory of 3972 1788 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe PID 1788 wrote to memory of 3972 1788 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe PID 1788 wrote to memory of 2848 1788 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe PID 1788 wrote to memory of 2848 1788 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe PID 1788 wrote to memory of 2848 1788 aaf14dba92dff1b1970e5fc870210431.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaf14dba92dff1b1970e5fc870210431.exe"C:\Users\Admin\AppData\Local\Temp\aaf14dba92dff1b1970e5fc870210431.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF84F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF9D7.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF84F.tmpFilesize
1KB
MD5c90e2487d6823743a2bbe9aab13029a5
SHA1af4396dbfe2b782f4875c8e87e85b3d26c0774d1
SHA256ac62e4505a02980e126bcc52cab99e2590eac7ea0f80c7d1233caff562e4e992
SHA5125f43c193de76144ed0e49aeae512099693bdd6d867565fab7b39bf63e22ce37dd3e04529a4a0cb49605f13203b43d50e1bb86f7e8a7f4359ae42a558a7175a9a
-
C:\Users\Admin\AppData\Local\Temp\tmpF9D7.tmpFilesize
1KB
MD5acd483df2f8ed28b2ad2bbcfe774f43f
SHA1e89d74ed4ba3824e652e1f4267bb8b60e3b50581
SHA2563ee6ae0dca5c4564f13e70f2a70ecbe979c9d9d575cd9762f15039aaa3823a86
SHA51259a9003c18f714c1ab14238bf2891b602ae3d8de49785a72e629648240176b29aabc741d7bdd244f06d5fe1a52c905b6288a0fe401f49df342200749a7de2092
-
memory/1788-133-0x0000000000CF0000-0x0000000000D00000-memory.dmpFilesize
64KB
-
memory/1788-141-0x0000000000CF0000-0x0000000000D00000-memory.dmpFilesize
64KB
-
memory/1788-142-0x0000000000CF0000-0x0000000000D00000-memory.dmpFilesize
64KB
-
memory/1788-143-0x0000000000CF0000-0x0000000000D00000-memory.dmpFilesize
64KB