Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05-01-2024 17:36
Behavioral task
behavioral1
Sample
44083ccdc05f57a3b919d0e38f374f2f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
44083ccdc05f57a3b919d0e38f374f2f.exe
Resource
win10v2004-20231215-en
General
-
Target
44083ccdc05f57a3b919d0e38f374f2f.exe
-
Size
659KB
-
MD5
44083ccdc05f57a3b919d0e38f374f2f
-
SHA1
2ed4195ff0713494a575661faf7098c77cbdf8f1
-
SHA256
85a021577c2ae040ae90d5bf7fa0fa9e0b97060fb2a8d2dada64d32c6ff75d6d
-
SHA512
90d05d2887067d71bd2688331f372c8506feecd3054707eeaf8254a1413c28ae50f70888be45b3ee79b3230843784b13e51631fd2d4e5d87e510679aed5f3987
-
SSDEEP
12288:59AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnK9:/AQ6Zx9cxTmOrucTIEFSpOGg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 44083ccdc05f57a3b919d0e38f374f2f.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 44083ccdc05f57a3b919d0e38f374f2f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 44083ccdc05f57a3b919d0e38f374f2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1820 set thread context of 2716 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 17 -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 44083ccdc05f57a3b919d0e38f374f2f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 44083ccdc05f57a3b919d0e38f374f2f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 44083ccdc05f57a3b919d0e38f374f2f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 44083ccdc05f57a3b919d0e38f374f2f.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 44083ccdc05f57a3b919d0e38f374f2f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeSecurityPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeTakeOwnershipPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeLoadDriverPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeSystemProfilePrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeSystemtimePrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeProfSingleProcessPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeIncBasePriorityPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeCreatePagefilePrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeBackupPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeRestorePrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeShutdownPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeDebugPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeSystemEnvironmentPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeChangeNotifyPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeRemoteShutdownPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeUndockPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeManageVolumePrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeImpersonatePrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeCreateGlobalPrivilege 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: 33 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: 34 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: 35 1820 44083ccdc05f57a3b919d0e38f374f2f.exe Token: SeIncreaseQuotaPrivilege 2716 explorer.exe Token: SeSecurityPrivilege 2716 explorer.exe Token: SeTakeOwnershipPrivilege 2716 explorer.exe Token: SeLoadDriverPrivilege 2716 explorer.exe Token: SeSystemProfilePrivilege 2716 explorer.exe Token: SeSystemtimePrivilege 2716 explorer.exe Token: SeProfSingleProcessPrivilege 2716 explorer.exe Token: SeIncBasePriorityPrivilege 2716 explorer.exe Token: SeCreatePagefilePrivilege 2716 explorer.exe Token: SeBackupPrivilege 2716 explorer.exe Token: SeRestorePrivilege 2716 explorer.exe Token: SeShutdownPrivilege 2716 explorer.exe Token: SeDebugPrivilege 2716 explorer.exe Token: SeSystemEnvironmentPrivilege 2716 explorer.exe Token: SeChangeNotifyPrivilege 2716 explorer.exe Token: SeRemoteShutdownPrivilege 2716 explorer.exe Token: SeUndockPrivilege 2716 explorer.exe Token: SeManageVolumePrivilege 2716 explorer.exe Token: SeImpersonatePrivilege 2716 explorer.exe Token: SeCreateGlobalPrivilege 2716 explorer.exe Token: 33 2716 explorer.exe Token: 34 2716 explorer.exe Token: 35 2716 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2716 explorer.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 1132 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 19 PID 1820 wrote to memory of 2716 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 17 PID 1820 wrote to memory of 2716 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 17 PID 1820 wrote to memory of 2716 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 17 PID 1820 wrote to memory of 2716 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 17 PID 1820 wrote to memory of 2716 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 17 PID 1820 wrote to memory of 2716 1820 44083ccdc05f57a3b919d0e38f374f2f.exe 17 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18 PID 2716 wrote to memory of 2856 2716 explorer.exe 18
Processes
-
C:\Users\Admin\AppData\Local\Temp\44083ccdc05f57a3b919d0e38f374f2f.exe"C:\Users\Admin\AppData\Local\Temp\44083ccdc05f57a3b919d0e38f374f2f.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies security service
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵PID:2856
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
PID:1132
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1