Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 21:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
12c55895f54ce6a9840c3be8837f9dac.exe
Resource
win7-20231215-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
12c55895f54ce6a9840c3be8837f9dac.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
12c55895f54ce6a9840c3be8837f9dac.exe
-
Size
2.7MB
-
MD5
12c55895f54ce6a9840c3be8837f9dac
-
SHA1
dcfff0d05b8893c083a25dc0ae7be76075071398
-
SHA256
3b24e3d7238406c007bad4039d77f3eed128366c37d94c2986fdb118e9d5a57e
-
SHA512
1347c2045d0ef513eb242de0b6663d14d225840b1f11d61a137860359cc9ffbf6b1481c9e1607005cd2d3fe1620a40fbb76bebdb33303a8b03ef4ad61afdb48b
-
SSDEEP
3072:UUXJ1OXAgGTRuu2qqXGUtAmHVhAiMiB0TTN/7hQl:UUCXcTY5NAmTkTJ7hM
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe wignifgp.exe" 12c55895f54ce6a9840c3be8837f9dac.exe -
Modifies Installed Components in the registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{tt9381D8F2-0288-11D0-9501-00AA00B911A5} 12c55895f54ce6a9840c3be8837f9dac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{tt9381D8F2-0288-11D0-9501-00AA00B911A5}\StubPath = "C:\\Windows\\system32\\midiplgayer.exe" 12c55895f54ce6a9840c3be8837f9dac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{tt9381D8F2-0288-11D0-9501-00AA00B911A5}\un = "1,winugpde,ccgcap.exe,1,wignifgp.exe,1,midiplgayer.exe,1,nortonantviru.exe," 12c55895f54ce6a9840c3be8837f9dac.exe -
Deletes itself 1 IoCs
pid Process 2752 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winugpde = "C:\\Windows\\ccgcap.exe" 12c55895f54ce6a9840c3be8837f9dac.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Windows\\system32\\nortonantviru.exe" 12c55895f54ce6a9840c3be8837f9dac.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\midiplgayer.exe 12c55895f54ce6a9840c3be8837f9dac.exe File opened for modification C:\Windows\SysWOW64\nortonantviru.exe 12c55895f54ce6a9840c3be8837f9dac.exe File opened for modification C:\Windows\SysWOW64\midiplgayer.exe 12c55895f54ce6a9840c3be8837f9dac.exe File created C:\Windows\SysWOW64\nortonantviru.exe 12c55895f54ce6a9840c3be8837f9dac.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\wignifgp.exe 12c55895f54ce6a9840c3be8837f9dac.exe File opened for modification C:\Windows\wignifgp.exe 12c55895f54ce6a9840c3be8837f9dac.exe File created C:\Windows\ccgcap.exe 12c55895f54ce6a9840c3be8837f9dac.exe File opened for modification C:\Windows\ccgcap.exe 12c55895f54ce6a9840c3be8837f9dac.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2644 12c55895f54ce6a9840c3be8837f9dac.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2644 12c55895f54ce6a9840c3be8837f9dac.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3 PID 2644 wrote to memory of 424 2644 12c55895f54ce6a9840c3be8837f9dac.exe 3
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\12c55895f54ce6a9840c3be8837f9dac.exe"C:\Users\Admin\AppData\Local\Temp\12c55895f54ce6a9840c3be8837f9dac.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Installed Components in the registry
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\cmd.execmd /c c:\$$$$$$.bat2⤵
- Deletes itself
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD50609e4324721474e0a03ffbd1cfc41a1
SHA1a60f0daaae4e5f7a06b0e3fe409ce3dfd7d85796
SHA256b4a1b9dd0a476e9c6865b0ce4a2423e47351334d4165eb12bf7b511e866f29ec
SHA512e1d0e61f30611553a8726d5bb60ad59ef7e34306357be5d5aa58cb73657b17e39a63b112fef7c59958cd3e55ce50a3f4bd690ae8ecc3a61cb1abe68bb224eaf4
-
Filesize
8.6MB
MD58686f894513f983a7f86a56d9f8eb580
SHA108ec5946975c57f952da06f55857ed2bc1d28944
SHA256d2dffb56374a58d8f5a2b7a3fbbf1816c0c35a79d7fc9dc13d05dd4d8d8eeddd
SHA512cbb52f034a4a34140acdca2a86b15b83c2ea48fb886f162fcf5f3f3f731149ea49530c7b8b1fb0919f9935c228e180367a3acb3012c7940d8bc40813735a7136