Analysis
-
max time kernel
122s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/12/2023, 21:59
Static task
static1
Behavioral task
behavioral1
Sample
af1a9812865af53b7ac2508dc0b2a3e7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
af1a9812865af53b7ac2508dc0b2a3e7.exe
Resource
win10v2004-20231215-en
General
-
Target
af1a9812865af53b7ac2508dc0b2a3e7.exe
-
Size
10KB
-
MD5
af1a9812865af53b7ac2508dc0b2a3e7
-
SHA1
1312d9c4c70180300ae44b5339b56b19d6c51ead
-
SHA256
a8c53cb1c5d1a1caeba3d08b332a601c40543b326442015aa7b4082167d747d0
-
SHA512
6badbd2d13f12dab60c6234b0a0a5f107c2685b8cb2920b0af8f31556d9f84b1421810cdaec85492b1ecf6ac1a34bd459d60de37a3eab58482041811903f7691
-
SSDEEP
192:A8QHHGfrRRtHgOs3+2qJvMvzk2tBdHr4CtPLIlThjSug/K:xSErRRBgh3+2qJozk2FUCtkl1jcy
Malware Config
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.dyndns.org -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1588 systeminfo.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe Token: SeDebugPrivilege 2772 whoami.exe Token: SeRestorePrivilege 2512 msiexec.exe Token: SeTakeOwnershipPrivilege 2512 msiexec.exe Token: SeSecurityPrivilege 2512 msiexec.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2672 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe 28 PID 2404 wrote to memory of 2672 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe 28 PID 2404 wrote to memory of 2672 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe 28 PID 2404 wrote to memory of 2672 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe 28 PID 2672 wrote to memory of 2772 2672 cmd.exe 30 PID 2672 wrote to memory of 2772 2672 cmd.exe 30 PID 2672 wrote to memory of 2772 2672 cmd.exe 30 PID 2672 wrote to memory of 2772 2672 cmd.exe 30 PID 2404 wrote to memory of 2784 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe 31 PID 2404 wrote to memory of 2784 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe 31 PID 2404 wrote to memory of 2784 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe 31 PID 2404 wrote to memory of 2784 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe 31 PID 2784 wrote to memory of 2988 2784 cmd.exe 33 PID 2784 wrote to memory of 2988 2784 cmd.exe 33 PID 2784 wrote to memory of 2988 2784 cmd.exe 33 PID 2784 wrote to memory of 2988 2784 cmd.exe 33 PID 2404 wrote to memory of 1644 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe 38 PID 2404 wrote to memory of 1644 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe 38 PID 2404 wrote to memory of 1644 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe 38 PID 2404 wrote to memory of 1644 2404 af1a9812865af53b7ac2508dc0b2a3e7.exe 38 PID 1644 wrote to memory of 1588 1644 cmd.exe 40 PID 1644 wrote to memory of 1588 1644 cmd.exe 40 PID 1644 wrote to memory of 1588 1644 cmd.exe 40 PID 1644 wrote to memory of 1588 1644 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\af1a9812865af53b7ac2508dc0b2a3e7.exe"C:\Users\Admin\AppData\Local\Temp\af1a9812865af53b7ac2508dc0b2a3e7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\getmac.exegetmac3⤵PID:2988
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:1588
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512