def47cbe5de9b42a8024427f3183ed92d42aea9dffb1ed8b0aa8fd49d26fa26e

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-06-2023 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dea18962bbc54787a0715e84b9d463a.exe
Size

402KB
MD5

3dea18962bbc54787a0715e84b9d463a
SHA1

111a364cab17d093538d1f35e99bef22b034eb73
SHA256

def47cbe5de9b42a8024427f3183ed92d42aea9dffb1ed8b0aa8fd49d26fa26e
SHA512

1367ef4488c7b298e108d04317261b867cde43050af240217714ac49b8c41f63c4e26201a6b892c76175d34304c838169d4e2f737b545211bc2841371783c25b
SSDEEP

3072:FDeHrC2edASgrXx0ooARRMkAHFIxobrvZkJv6SjaFvVmuLyRpPS68urGh3Lzs/v6:tx2egmooARiXCFT2Fp6SQaofZA9

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	3dea18962bbc54787a0715e84b9d463a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1964	524	WerFault.exe	34

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1728	3dea18962bbc54787a0715e84b9d463a.exe
1728	3dea18962bbc54787a0715e84b9d463a.exe
1728	3dea18962bbc54787a0715e84b9d463a.exe
1728	3dea18962bbc54787a0715e84b9d463a.exe
1728	3dea18962bbc54787a0715e84b9d463a.exe
1728	3dea18962bbc54787a0715e84b9d463a.exe
1728	3dea18962bbc54787a0715e84b9d463a.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1728	3dea18962bbc54787a0715e84b9d463a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	3dea18962bbc54787a0715e84b9d463a.exe
Token: SeDebugPrivilege	1728	3dea18962bbc54787a0715e84b9d463a.exe
Token: SeLoadDriverPrivilege	1728	3dea18962bbc54787a0715e84b9d463a.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 672	1728	3dea18962bbc54787a0715e84b9d463a.exe	27
PID 1728 wrote to memory of 672	1728	3dea18962bbc54787a0715e84b9d463a.exe	27
PID 1728 wrote to memory of 672	1728	3dea18962bbc54787a0715e84b9d463a.exe	27
PID 1728 wrote to memory of 1048	1728	3dea18962bbc54787a0715e84b9d463a.exe	28
PID 1728 wrote to memory of 1048	1728	3dea18962bbc54787a0715e84b9d463a.exe	28
PID 1728 wrote to memory of 1048	1728	3dea18962bbc54787a0715e84b9d463a.exe	28
PID 1728 wrote to memory of 1872	1728	3dea18962bbc54787a0715e84b9d463a.exe	29
PID 1728 wrote to memory of 1872	1728	3dea18962bbc54787a0715e84b9d463a.exe	29
PID 1728 wrote to memory of 1872	1728	3dea18962bbc54787a0715e84b9d463a.exe	29
PID 1728 wrote to memory of 1188	1728	3dea18962bbc54787a0715e84b9d463a.exe	30
PID 1728 wrote to memory of 1188	1728	3dea18962bbc54787a0715e84b9d463a.exe	30
PID 1728 wrote to memory of 1188	1728	3dea18962bbc54787a0715e84b9d463a.exe	30
PID 1728 wrote to memory of 560	1728	3dea18962bbc54787a0715e84b9d463a.exe	31
PID 1728 wrote to memory of 560	1728	3dea18962bbc54787a0715e84b9d463a.exe	31
PID 1728 wrote to memory of 560	1728	3dea18962bbc54787a0715e84b9d463a.exe	31
PID 1728 wrote to memory of 436	1728	3dea18962bbc54787a0715e84b9d463a.exe	32
PID 1728 wrote to memory of 436	1728	3dea18962bbc54787a0715e84b9d463a.exe	32
PID 1728 wrote to memory of 436	1728	3dea18962bbc54787a0715e84b9d463a.exe	32
PID 1728 wrote to memory of 1636	1728	3dea18962bbc54787a0715e84b9d463a.exe	33
PID 1728 wrote to memory of 1636	1728	3dea18962bbc54787a0715e84b9d463a.exe	33
PID 1728 wrote to memory of 1636	1728	3dea18962bbc54787a0715e84b9d463a.exe	33
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 1728 wrote to memory of 524	1728	3dea18962bbc54787a0715e84b9d463a.exe	34
PID 524 wrote to memory of 1964	524	SetupUtility.exe	35
PID 524 wrote to memory of 1964	524	SetupUtility.exe	35
PID 524 wrote to memory of 1964	524	SetupUtility.exe	35
PID 524 wrote to memory of 1964	524	SetupUtility.exe	35

C:\Users\Admin\AppData\Local\Temp\3dea18962bbc54787a0715e84b9d463a.exe
"C:\Users\Admin\AppData\Local\Temp\3dea18962bbc54787a0715e84b9d463a.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:1872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:1188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 168
    3⤵
    - Program crash
    PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/524-59-0x0000000000150000-0x0000000000159000-memory.dmp

Filesize
36KB

Download
memory/1728-54-0x0000000000F00000-0x0000000000F68000-memory.dmp

Filesize
416KB

Download
memory/1728-55-0x0000000000E10000-0x0000000000E90000-memory.dmp

Filesize
512KB

Download
memory/1728-56-0x000000001B350000-0x000000001B3C8000-memory.dmp

Filesize
480KB

Download