Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 01:50
Static task
static1
Behavioral task
behavioral1
Sample
6c0abc8280a103572f14d9b665c25351.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6c0abc8280a103572f14d9b665c25351.exe
Resource
win10v2004-20231215-en
General
-
Target
6c0abc8280a103572f14d9b665c25351.exe
-
Size
236KB
-
MD5
6c0abc8280a103572f14d9b665c25351
-
SHA1
a4a95a532717bcfcb3a09640568b7da1133bbecb
-
SHA256
18dd3f360bd67de6ffc11ae40ef90bfaea57660b61c541babc459e125ea55352
-
SHA512
645a5d0ed9bc9f224cb88d469ef47c9f355f4570a1349155fa33cbc3ab4b10e32b2e4dcb2bdbc955444091d6758d6f430353bc2a842484bd090482e3af4bf2f3
-
SSDEEP
6144:ZS9QWrvbXjEN5IngAtra+6/747Ko6RI6z:ZS9Vv7gSraB7qKS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" 6c0abc8280a103572f14d9b665c25351.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 6c0abc8280a103572f14d9b665c25351.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" 6c0abc8280a103572f14d9b665c25351.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 888 set thread context of 864 888 6c0abc8280a103572f14d9b665c25351.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 6c0abc8280a103572f14d9b665c25351.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6c0abc8280a103572f14d9b665c25351.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6c0abc8280a103572f14d9b665c25351.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 6c0abc8280a103572f14d9b665c25351.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 6c0abc8280a103572f14d9b665c25351.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeSecurityPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeTakeOwnershipPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeLoadDriverPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeSystemProfilePrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeSystemtimePrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeProfSingleProcessPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeIncBasePriorityPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeCreatePagefilePrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeBackupPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeRestorePrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeShutdownPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeDebugPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeSystemEnvironmentPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeChangeNotifyPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeRemoteShutdownPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeUndockPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeManageVolumePrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeImpersonatePrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeCreateGlobalPrivilege 888 6c0abc8280a103572f14d9b665c25351.exe Token: 33 888 6c0abc8280a103572f14d9b665c25351.exe Token: 34 888 6c0abc8280a103572f14d9b665c25351.exe Token: 35 888 6c0abc8280a103572f14d9b665c25351.exe Token: 36 888 6c0abc8280a103572f14d9b665c25351.exe Token: SeIncreaseQuotaPrivilege 864 explorer.exe Token: SeSecurityPrivilege 864 explorer.exe Token: SeTakeOwnershipPrivilege 864 explorer.exe Token: SeLoadDriverPrivilege 864 explorer.exe Token: SeSystemProfilePrivilege 864 explorer.exe Token: SeSystemtimePrivilege 864 explorer.exe Token: SeProfSingleProcessPrivilege 864 explorer.exe Token: SeIncBasePriorityPrivilege 864 explorer.exe Token: SeCreatePagefilePrivilege 864 explorer.exe Token: SeBackupPrivilege 864 explorer.exe Token: SeRestorePrivilege 864 explorer.exe Token: SeShutdownPrivilege 864 explorer.exe Token: SeDebugPrivilege 864 explorer.exe Token: SeSystemEnvironmentPrivilege 864 explorer.exe Token: SeChangeNotifyPrivilege 864 explorer.exe Token: SeRemoteShutdownPrivilege 864 explorer.exe Token: SeUndockPrivilege 864 explorer.exe Token: SeManageVolumePrivilege 864 explorer.exe Token: SeImpersonatePrivilege 864 explorer.exe Token: SeCreateGlobalPrivilege 864 explorer.exe Token: 33 864 explorer.exe Token: 34 864 explorer.exe Token: 35 864 explorer.exe Token: 36 864 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 4840 888 6c0abc8280a103572f14d9b665c25351.exe 90 PID 888 wrote to memory of 864 888 6c0abc8280a103572f14d9b665c25351.exe 91 PID 888 wrote to memory of 864 888 6c0abc8280a103572f14d9b665c25351.exe 91 PID 888 wrote to memory of 864 888 6c0abc8280a103572f14d9b665c25351.exe 91 PID 888 wrote to memory of 864 888 6c0abc8280a103572f14d9b665c25351.exe 91 PID 888 wrote to memory of 864 888 6c0abc8280a103572f14d9b665c25351.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c0abc8280a103572f14d9b665c25351.exe"C:\Users\Admin\AppData\Local\Temp\6c0abc8280a103572f14d9b665c25351.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
PID:4840
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD56c0abc8280a103572f14d9b665c25351
SHA1a4a95a532717bcfcb3a09640568b7da1133bbecb
SHA25618dd3f360bd67de6ffc11ae40ef90bfaea57660b61c541babc459e125ea55352
SHA512645a5d0ed9bc9f224cb88d469ef47c9f355f4570a1349155fa33cbc3ab4b10e32b2e4dcb2bdbc955444091d6758d6f430353bc2a842484bd090482e3af4bf2f3