Analysis
-
max time kernel
1s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 12:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8f.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
8f.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
8f.exe
-
Size
3.8MB
-
MD5
0f98fd6b7bf409d245491235c3b3a235
-
SHA1
e4e7d35342ad925c3777648dcc5b928996c5132a
-
SHA256
8f5670e8e840235bda7a41acc5df942faa6e995ff5f63d09a5cad39592afaaa1
-
SHA512
853da359d4f59d15bcb54cee950622762cf628923e9f74676f29e8e23597e693a2d58f8965ba4ac9a2a323741324bdf79a8ac54b1d8d9b9a62499b2c32a8648b
-
SSDEEP
98304:JO6busnsQw2+V6joFxBY0NX3UHdq+pqmav:J7bussB2I6joFjY0NkHHsmav
Score
5/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2488 set thread context of 2788 2488 8f.exe 20 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2488 8f.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2488 8f.exe Token: SeDebugPrivilege 2488 8f.exe Token: SeDebugPrivilege 2488 8f.exe Token: SeDebugPrivilege 2488 8f.exe Token: SeDebugPrivilege 2488 8f.exe Token: SeDebugPrivilege 2488 8f.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2788 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2788 2488 8f.exe 20 PID 2488 wrote to memory of 2788 2488 8f.exe 20 PID 2488 wrote to memory of 2788 2488 8f.exe 20 PID 2488 wrote to memory of 2788 2488 8f.exe 20 PID 2488 wrote to memory of 2788 2488 8f.exe 20 PID 2488 wrote to memory of 2788 2488 8f.exe 20 PID 2488 wrote to memory of 2788 2488 8f.exe 20 PID 2488 wrote to memory of 2788 2488 8f.exe 20
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f.exe"C:\Users\Admin\AppData\Local\Temp\8f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\8f.exe2⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2788
-