Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
01-09-2023 05:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Updaters.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
Updaters.exe
Resource
win10v2004-20230831-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
Updaters.exe
-
Size
2.8MB
-
MD5
7a1a59c9db320a777d4512983ddce650
-
SHA1
e5b17572b94dfc87b686da2aa6ad0d6b8823fe97
-
SHA256
cc7bf8c734a4146942f8f754ab55e257a8be68f5c687c3bcc9fcdb7a5dabf871
-
SHA512
5631d7cebb6351d0490ac85005f6a1282b20a47e51626ba2a00f515d7e657ffe18c7f1451f6ba478a64ff7c20e8a86dc80ba0c7cdf716286e650bb021d845856
-
SSDEEP
49152:HA4q5sXHCFtLsBbpHsTGea3n1MA7+UAOUkcqUIKXOIGYMa5:HyggRsBl/ea31/+Ufqq1GN6
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
rornfl12.duckdns.org:3072
Attributes
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
install_dir
chrome
-
install_file
updater
-
tor_process
tor
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
InstallUtil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updater" InstallUtil.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
InstallUtil.exepid process 2280 InstallUtil.exe 2280 InstallUtil.exe 2280 InstallUtil.exe 2280 InstallUtil.exe 2280 InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Updaters.exedescription pid process target process PID 1632 set thread context of 2280 1632 Updaters.exe InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Updaters.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1632 Updaters.exe Token: SeDebugPrivilege 2280 InstallUtil.exe Token: SeShutdownPrivilege 2280 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
InstallUtil.exepid process 2280 InstallUtil.exe 2280 InstallUtil.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Updaters.exedescription pid process target process PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe PID 1632 wrote to memory of 2280 1632 Updaters.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Updaters.exe"C:\Users\Admin\AppData\Local\Temp\Updaters.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2280