Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 10:24
Static task
static1
Behavioral task
behavioral1
Sample
608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe
Resource
win10v2004-20231127-en
General
-
Target
608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe
-
Size
2.0MB
-
MD5
f17d36b7435da33a9a9d550eaef8f549
-
SHA1
f079337f39395c7e7bcdc3c05f6287751a7d4f73
-
SHA256
608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e
-
SHA512
515a2c5a0c2211e257cbf6e0e0c49299c610d8c90d400c6c02acb4f4ece2f60b2cb91d311b73d7da8e602fde594fb508538e783631c43bf61a98c60b37c0e6fc
-
SSDEEP
49152:XLcMLSbtXIRK57i9j78xUn3BlJfoE1xNAfF1oH3tb2qZH9s:XLckSE67w8yJfoE1xNA7qbZ
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\kkctPtna.sys dllhost.exe -
Deletes itself 1 IoCs
pid Process 1104 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2864 dllhost.exe -
resource yara_rule behavioral1/memory/468-11-0x0000000000A40000-0x0000000000AC4000-memory.dmp vmprotect behavioral1/memory/468-14-0x0000000000A40000-0x0000000000AC4000-memory.dmp vmprotect behavioral1/memory/468-13-0x0000000000A40000-0x0000000000AC4000-memory.dmp vmprotect behavioral1/memory/468-18-0x0000000000A40000-0x0000000000AC4000-memory.dmp vmprotect behavioral1/memory/468-22-0x0000000000A40000-0x0000000000AC4000-memory.dmp vmprotect -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\s2pg.dll dllhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2228 set thread context of 2864 2228 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 28 -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2864 dllhost.exe 2864 dllhost.exe 2864 dllhost.exe 2864 dllhost.exe 2864 dllhost.exe 2864 dllhost.exe 468 services.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2228 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe Token: SeDebugPrivilege 2864 dllhost.exe Token: SeIncBasePriorityPrivilege 2228 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe Token: SeDebugPrivilege 468 services.exe Token: SeDebugPrivilege 2864 dllhost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2864 2228 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 28 PID 2228 wrote to memory of 2864 2228 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 28 PID 2228 wrote to memory of 2864 2228 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 28 PID 2228 wrote to memory of 2864 2228 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 28 PID 2228 wrote to memory of 2864 2228 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 28 PID 2864 wrote to memory of 468 2864 dllhost.exe 2 PID 2228 wrote to memory of 1104 2228 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 29 PID 2228 wrote to memory of 1104 2228 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 29 PID 2228 wrote to memory of 1104 2228 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 29 PID 2228 wrote to memory of 1104 2228 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 29
Processes
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468
-
C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe"C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\dllhost.exeC:\Windows\system32\dllhost.exe2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\608C54~1.EXE > nul2⤵
- Deletes itself
PID:1104
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5b2ee390c0b9947b86ede4deb825710a4
SHA1267ca058a46609439560b4742b26e6b4b7d72a6b
SHA25664a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0
SHA512a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b