Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 10:13
Static task
static1
Behavioral task
behavioral1
Sample
6a27d634d60cf8f2b9271c185cf76da2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6a27d634d60cf8f2b9271c185cf76da2.exe
Resource
win10v2004-20231222-en
General
-
Target
6a27d634d60cf8f2b9271c185cf76da2.exe
-
Size
1.3MB
-
MD5
6a27d634d60cf8f2b9271c185cf76da2
-
SHA1
ac96a1b10ce298ee5b2a95fdf3a2eeaf200ed3b0
-
SHA256
1d2e094fb574bb2d941f69394e1324fce3247cdfa8c5e09fee9c18a906b1e88d
-
SHA512
9e348a29794381ac72ca20eb72f32c1f02d49011296c472e273287187364a77453573753422eed0b3f1c073b6981376474353d25b9977511622a4de1c021cdaa
-
SSDEEP
24576:MdwQH6icoECFpWylHAy8IYQoRJCSrG1mxMJaFjEx4AFcxsv:YluoE0pWylgy8DQozCcycMJJxtFciv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 6a27d634d60cf8f2b9271c185cf76da2.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 6a27d634d60cf8f2b9271c185cf76da2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 6a27d634d60cf8f2b9271c185cf76da2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2888 6a27d634d60cf8f2b9271c185cf76da2.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2888 set thread context of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2736 set thread context of 2588 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 30 -
Program crash 1 IoCs
pid pid_target Process procid_target 2724 2588 WerFault.exe 30 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6a27d634d60cf8f2b9271c185cf76da2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6a27d634d60cf8f2b9271c185cf76da2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 6a27d634d60cf8f2b9271c185cf76da2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 6a27d634d60cf8f2b9271c185cf76da2.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 6a27d634d60cf8f2b9271c185cf76da2.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeSecurityPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeTakeOwnershipPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeLoadDriverPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeSystemProfilePrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeSystemtimePrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeProfSingleProcessPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeIncBasePriorityPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeCreatePagefilePrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeBackupPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeRestorePrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeShutdownPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeDebugPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeSystemEnvironmentPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeChangeNotifyPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeRemoteShutdownPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeUndockPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeManageVolumePrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeImpersonatePrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: SeCreateGlobalPrivilege 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: 33 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: 34 2736 6a27d634d60cf8f2b9271c185cf76da2.exe Token: 35 2736 6a27d634d60cf8f2b9271c185cf76da2.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 2888 6a27d634d60cf8f2b9271c185cf76da2.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2888 wrote to memory of 2736 2888 6a27d634d60cf8f2b9271c185cf76da2.exe 28 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2028 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 29 PID 2736 wrote to memory of 2588 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 30 PID 2736 wrote to memory of 2588 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 30 PID 2736 wrote to memory of 2588 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 30 PID 2736 wrote to memory of 2588 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 30 PID 2736 wrote to memory of 2588 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 30 PID 2736 wrote to memory of 2588 2736 6a27d634d60cf8f2b9271c185cf76da2.exe 30 PID 2588 wrote to memory of 2724 2588 explorer.exe 31 PID 2588 wrote to memory of 2724 2588 explorer.exe 31 PID 2588 wrote to memory of 2724 2588 explorer.exe 31 PID 2588 wrote to memory of 2724 2588 explorer.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a27d634d60cf8f2b9271c185cf76da2.exe"C:\Users\Admin\AppData\Local\Temp\6a27d634d60cf8f2b9271c185cf76da2.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\6a27d634d60cf8f2b9271c185cf76da2.exeC:\Users\Admin\AppData\Local\Temp\6a27d634d60cf8f2b9271c185cf76da2.exe2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
PID:2028
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1764⤵
- Program crash
PID:2724
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD5dda5c16e3bdd301ea2d7581501073ede
SHA1571eb4c17a7dbe4d8f2da795bb2ba379412ecf54
SHA25695e5b4e84284d0f80d94626ac2a6fb4d96e93c2ca0560c78d85734e50deda861
SHA512fa55834ce4e233365fc24142b8b2759fae49fc217114189090f33ce4fc09df34b660384bfe844235c0e1c27b048fca4a857c6464094898162abe0bfd72608566