Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21/01/2024, 01:50
Static task
static1
Behavioral task
behavioral1
Sample
6c0abc8280a103572f14d9b665c25351.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6c0abc8280a103572f14d9b665c25351.exe
Resource
win10v2004-20231215-en
General
-
Target
6c0abc8280a103572f14d9b665c25351.exe
-
Size
236KB
-
MD5
6c0abc8280a103572f14d9b665c25351
-
SHA1
a4a95a532717bcfcb3a09640568b7da1133bbecb
-
SHA256
18dd3f360bd67de6ffc11ae40ef90bfaea57660b61c541babc459e125ea55352
-
SHA512
645a5d0ed9bc9f224cb88d469ef47c9f355f4570a1349155fa33cbc3ab4b10e32b2e4dcb2bdbc955444091d6758d6f430353bc2a842484bd090482e3af4bf2f3
-
SSDEEP
6144:ZS9QWrvbXjEN5IngAtra+6/747Ko6RI6z:ZS9Vv7gSraB7qKS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" 6c0abc8280a103572f14d9b665c25351.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 6c0abc8280a103572f14d9b665c25351.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" 6c0abc8280a103572f14d9b665c25351.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2876 set thread context of 2864 2876 6c0abc8280a103572f14d9b665c25351.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6c0abc8280a103572f14d9b665c25351.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6c0abc8280a103572f14d9b665c25351.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 6c0abc8280a103572f14d9b665c25351.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 6c0abc8280a103572f14d9b665c25351.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 6c0abc8280a103572f14d9b665c25351.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeSecurityPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeTakeOwnershipPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeLoadDriverPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeSystemProfilePrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeSystemtimePrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeProfSingleProcessPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeIncBasePriorityPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeCreatePagefilePrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeBackupPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeRestorePrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeShutdownPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeDebugPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeSystemEnvironmentPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeChangeNotifyPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeRemoteShutdownPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeUndockPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeManageVolumePrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeImpersonatePrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeCreateGlobalPrivilege 2876 6c0abc8280a103572f14d9b665c25351.exe Token: 33 2876 6c0abc8280a103572f14d9b665c25351.exe Token: 34 2876 6c0abc8280a103572f14d9b665c25351.exe Token: 35 2876 6c0abc8280a103572f14d9b665c25351.exe Token: SeIncreaseQuotaPrivilege 2864 explorer.exe Token: SeSecurityPrivilege 2864 explorer.exe Token: SeTakeOwnershipPrivilege 2864 explorer.exe Token: SeLoadDriverPrivilege 2864 explorer.exe Token: SeSystemProfilePrivilege 2864 explorer.exe Token: SeSystemtimePrivilege 2864 explorer.exe Token: SeProfSingleProcessPrivilege 2864 explorer.exe Token: SeIncBasePriorityPrivilege 2864 explorer.exe Token: SeCreatePagefilePrivilege 2864 explorer.exe Token: SeBackupPrivilege 2864 explorer.exe Token: SeRestorePrivilege 2864 explorer.exe Token: SeShutdownPrivilege 2864 explorer.exe Token: SeDebugPrivilege 2864 explorer.exe Token: SeSystemEnvironmentPrivilege 2864 explorer.exe Token: SeChangeNotifyPrivilege 2864 explorer.exe Token: SeRemoteShutdownPrivilege 2864 explorer.exe Token: SeUndockPrivilege 2864 explorer.exe Token: SeManageVolumePrivilege 2864 explorer.exe Token: SeImpersonatePrivilege 2864 explorer.exe Token: SeCreateGlobalPrivilege 2864 explorer.exe Token: 33 2864 explorer.exe Token: 34 2864 explorer.exe Token: 35 2864 explorer.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2364 2876 6c0abc8280a103572f14d9b665c25351.exe 28 PID 2876 wrote to memory of 2864 2876 6c0abc8280a103572f14d9b665c25351.exe 29 PID 2876 wrote to memory of 2864 2876 6c0abc8280a103572f14d9b665c25351.exe 29 PID 2876 wrote to memory of 2864 2876 6c0abc8280a103572f14d9b665c25351.exe 29 PID 2876 wrote to memory of 2864 2876 6c0abc8280a103572f14d9b665c25351.exe 29 PID 2876 wrote to memory of 2864 2876 6c0abc8280a103572f14d9b665c25351.exe 29 PID 2876 wrote to memory of 2864 2876 6c0abc8280a103572f14d9b665c25351.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c0abc8280a103572f14d9b665c25351.exe"C:\Users\Admin\AppData\Local\Temp\6c0abc8280a103572f14d9b665c25351.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
PID:2364
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2864
-