Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230824-en -
resource tags
arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system -
submitted
28/08/2023, 13:53
Static task
static1
Behavioral task
behavioral1
Sample
1915522fda424cf177b72830025aec0b6af1dd812768553d429f8e54d0131279.exe
Resource
win7-20230824-en
Behavioral task
behavioral2
Sample
1915522fda424cf177b72830025aec0b6af1dd812768553d429f8e54d0131279.exe
Resource
win10v2004-20230703-en
General
-
Target
1915522fda424cf177b72830025aec0b6af1dd812768553d429f8e54d0131279.exe
-
Size
3.0MB
-
MD5
b5df562a6a46653fdc7b1021627f291d
-
SHA1
81e5d74c9065ef4ae126eb142a4074457408d36b
-
SHA256
1915522fda424cf177b72830025aec0b6af1dd812768553d429f8e54d0131279
-
SHA512
78ecad9368c2ca8a012f961aeda82b0a16a30299d09c9e406e928153a26941548d994b08075ad93d1d6b1640730599dab5198664717fc34bd2722b115e88e0fb
-
SSDEEP
49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTlAw4SNNk5soINjPUb:Q+8X9G3vP3AMC5SQ672
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1720 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 1720 explorer.exe Token: SeShutdownPrivilege 1720 explorer.exe Token: SeShutdownPrivilege 1720 explorer.exe Token: SeShutdownPrivilege 1720 explorer.exe Token: SeShutdownPrivilege 1720 explorer.exe Token: SeShutdownPrivilege 1720 explorer.exe Token: SeShutdownPrivilege 1720 explorer.exe Token: SeShutdownPrivilege 1720 explorer.exe Token: SeShutdownPrivilege 1720 explorer.exe Token: SeShutdownPrivilege 1720 explorer.exe Token: SeShutdownPrivilege 1720 explorer.exe Token: SeShutdownPrivilege 1720 explorer.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1915522fda424cf177b72830025aec0b6af1dd812768553d429f8e54d0131279.exe"C:\Users\Admin\AppData\Local\Temp\1915522fda424cf177b72830025aec0b6af1dd812768553d429f8e54d0131279.exe"1⤵PID:2240
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1720