Analysis
-
max time kernel
37s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 03:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d805460dbde9cac7783fb46a7a5b4df.exe
Resource
win7-20231129-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
0d805460dbde9cac7783fb46a7a5b4df.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
0d805460dbde9cac7783fb46a7a5b4df.exe
-
Size
206KB
-
MD5
0d805460dbde9cac7783fb46a7a5b4df
-
SHA1
f048583dc9152fc936ed353c81df3b8551bfe1b6
-
SHA256
1bdf0fc891b8611431f40a71e42a0cec796d9db12d0f0d8cb47459f39e997c49
-
SHA512
8bc4fe25ef93c5621a3d82f51fb9e5ed14d0d73a9a9401db9b0be13e4fa32d718dd8ca819dfe1e244f30537a09510d7db2875912c66d831f4ed8b6d97df4d966
-
SSDEEP
3072:qXg49H0gEaPAllP81Oj5uWoS/8GYo/eLUmypwjmhFOAf+XG7gwr6+pVNsa/oiXCS:qXb0haUlXeBhUdpwjmrOAfp/6OYcuS
Score
8/10
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 2936 0d805460dbde9cac7783fb46a7a5b4df.exe -
Modifies WinLogon 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Shutdown = "WlxShutdownEvent" 0d805460dbde9cac7783fb46a7a5b4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Impersonate = "0" 0d805460dbde9cac7783fb46a7a5b4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Asynchronous = "0" 0d805460dbde9cac7783fb46a7a5b4df.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Image = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0d805460dbde9cac7783fb46a7a5b4df.exe" 0d805460dbde9cac7783fb46a7a5b4df.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac 0d805460dbde9cac7783fb46a7a5b4df.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 0d805460dbde9cac7783fb46a7a5b4df.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\DllName = "C:\\Windows\\system32\\acac.dll" 0d805460dbde9cac7783fb46a7a5b4df.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Startup = "WlxStartupEvent" 0d805460dbde9cac7783fb46a7a5b4df.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\rdpwiasn.dll 0d805460dbde9cac7783fb46a7a5b4df.exe File created C:\Windows\SysWOW64\dpmomspr.dll 0d805460dbde9cac7783fb46a7a5b4df.exe File created C:\Windows\SysWOW64\msimnpwm.exe 0d805460dbde9cac7783fb46a7a5b4df.exe File created C:\Windows\SysWOW64\acac.dll 0d805460dbde9cac7783fb46a7a5b4df.exe File created C:\Windows\SysWOW64\e1.dll 0d805460dbde9cac7783fb46a7a5b4df.exe File created C:\Windows\SysWOW64\dminupnp.dll 0d805460dbde9cac7783fb46a7a5b4df.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0C5F2871-A7FF-11EE-8EEA-EE2F313809B4} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2936 0d805460dbde9cac7783fb46a7a5b4df.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2936 0d805460dbde9cac7783fb46a7a5b4df.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 2664 iexplore.exe 2664 iexplore.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2936 wrote to memory of 1372 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 6 PID 2936 wrote to memory of 2664 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 30 PID 2936 wrote to memory of 2664 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 30 PID 2936 wrote to memory of 2664 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 30 PID 2936 wrote to memory of 2664 2936 0d805460dbde9cac7783fb46a7a5b4df.exe 30 PID 2664 wrote to memory of 2460 2664 iexplore.exe 29 PID 2664 wrote to memory of 2460 2664 iexplore.exe 29 PID 2664 wrote to memory of 2460 2664 iexplore.exe 29 PID 2664 wrote to memory of 2460 2664 iexplore.exe 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\0d805460dbde9cac7783fb46a7a5b4df.exe"C:\Users\Admin\AppData\Local\Temp\0d805460dbde9cac7783fb46a7a5b4df.exe"2⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" about:blank3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275457 /prefetch:21⤵PID:2460