Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a8bf8166c67cc2445b507916624dc2c9.exe
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
a8bf8166c67cc2445b507916624dc2c9.exe
Resource
win10v2004-20231222-en
5 signatures
150 seconds
General
-
Target
a8bf8166c67cc2445b507916624dc2c9.exe
-
Size
260KB
-
MD5
a8bf8166c67cc2445b507916624dc2c9
-
SHA1
6ce3ceea9fd43f9b9f5519545dcd3dee84f1075e
-
SHA256
4451d9d0075891bd96dc577628c0cfbf17a905cd7357e9e0038726c407ab576f
-
SHA512
42579b291bb643b389bed051ec0045f9616856eaaa19f703dede3e0e382f60305279325974d0e6a5d6af321d1ace8f8219aca316a795ac034ec0f682887f2675
-
SSDEEP
6144:0tX21Y7+PO6hIKxeYBy4GPIRMKFpIq7EbjkUvudrhTl:ChIhIKxeRHPI7FpwbjkMWhTl
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\A8BF81~1.EXE," a8bf8166c67cc2445b507916624dc2c9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A8BF81~1.EXE" a8bf8166c67cc2445b507916624dc2c9.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5df22a75 = "NOð\\\x1fÑ´\x02\b¬¨«<ßåÅì\u009d0àU@\x12¥^&µÚá¡ä\\J¹<Á>Wî\fJkߣR/ÂNhÈpþøÁÅܘW÷Ø\u0090)\x063oœo\bô\u00a0œL!\x1cÅéä\x05,\u0081¤)ÌÑ„a”a\u00adAÅ4©”œ•1þYîAÄâõ!ÄŒÄtr‰Ô^L¢nj\u0081ù\u008d\x1d\x1c]¤ä&\ra^\"™l¹íÆñ¥ybA\x16jñAÌA\rb©©\u00adT¾\nv6Íi…:\x19=\x0eZô}qÁäqõ:¹ý\x16YyÌ\x151lšD2AL±º\"bu\x19\x01•\u00ad!…\x05’6TaÝQ}2Q|¹¤y]ô\u00ad¡=¹•QJÁ\x15é™=µAíŒµŠ‘¥…¢!½ÁÁá\tÊ2ýAqá55\\]~ta-\\Y\t\u00ad]" a8bf8166c67cc2445b507916624dc2c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A8BF81~1.EXE" a8bf8166c67cc2445b507916624dc2c9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe 2356 a8bf8166c67cc2445b507916624dc2c9.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2356 a8bf8166c67cc2445b507916624dc2c9.exe Token: SeSecurityPrivilege 2356 a8bf8166c67cc2445b507916624dc2c9.exe Token: SeSecurityPrivilege 2356 a8bf8166c67cc2445b507916624dc2c9.exe Token: SeSecurityPrivilege 2356 a8bf8166c67cc2445b507916624dc2c9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8bf8166c67cc2445b507916624dc2c9.exe"C:\Users\Admin\AppData\Local\Temp\a8bf8166c67cc2445b507916624dc2c9.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356