Analysis
-
max time kernel
4s -
max time network
5s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 04:23
Behavioral task
behavioral1
Sample
0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe
Resource
win7-20231201-en
9 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe
-
Size
2.4MB
-
MD5
fc7089916a5d0fa9b4211c529c42985b
-
SHA1
7d329e9ef3d94701370639182ddd557bbf49deac
-
SHA256
0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5
-
SHA512
ca49922d8a22d336b43e26a8e5b65f64aa6811dbcad7de2197cd65b8c4e809c6e70668b15bb6ffa0c60b5cdbb35b545a7c6cf753989c922edb15d933851c0ec2
-
SSDEEP
49152:a71MLI03MRdMACeOGOXpk+to8SkkkK+5TT9JrwTDqDhp7TDo9DVV7:1LI0clsGOXfignN9Jrf9POH
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe -
resource yara_rule behavioral1/memory/3064-23-0x0000000000CE0000-0x00000000011A7000-memory.dmp vmprotect behavioral1/memory/3064-40-0x0000000000CE0000-0x00000000011A7000-memory.dmp vmprotect -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3064 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe 3064 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3064 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 3064 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3064 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe"C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3064
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:3012
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2428