Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 05:19
Static task
static1
Behavioral task
behavioral1
Sample
795f466f1d7046801dff29d26e922b35.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
795f466f1d7046801dff29d26e922b35.exe
Resource
win10v2004-20231215-en
General
-
Target
795f466f1d7046801dff29d26e922b35.exe
-
Size
906KB
-
MD5
795f466f1d7046801dff29d26e922b35
-
SHA1
95d942b20ec16b4311e35cfb12a94293cad69851
-
SHA256
81c5ece1954156740f639f838730f9f27f2dbb17b7752f525a715d4bc0fa03e8
-
SHA512
81aab8bb72c1c379d40dd50572c748b296a83dde127ecae441140ba0fe40da9609ad629e5d3a67cae1069183ee3db3e3cbb8fcbd72ef7d24528a758121ee21ca
-
SSDEEP
24576:ahkYErrvfgKDMq4SiagonfDb451LHCKjZOlNr45cIzCAxOj9mNL6rGB4:1YarIOMq4ShffDUPLi3P4D
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" 795f466f1d7046801dff29d26e922b35.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 795f466f1d7046801dff29d26e922b35.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2668 set thread context of 2716 2668 795f466f1d7046801dff29d26e922b35.exe 30 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\WPA Host\wpahost.exe 795f466f1d7046801dff29d26e922b35.exe File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe 795f466f1d7046801dff29d26e922b35.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1236 schtasks.exe 2836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2668 795f466f1d7046801dff29d26e922b35.exe 2668 795f466f1d7046801dff29d26e922b35.exe 2668 795f466f1d7046801dff29d26e922b35.exe 2668 795f466f1d7046801dff29d26e922b35.exe 2668 795f466f1d7046801dff29d26e922b35.exe 2668 795f466f1d7046801dff29d26e922b35.exe 2716 795f466f1d7046801dff29d26e922b35.exe 2716 795f466f1d7046801dff29d26e922b35.exe 2716 795f466f1d7046801dff29d26e922b35.exe 2716 795f466f1d7046801dff29d26e922b35.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2716 795f466f1d7046801dff29d26e922b35.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2668 795f466f1d7046801dff29d26e922b35.exe Token: SeDebugPrivilege 2716 795f466f1d7046801dff29d26e922b35.exe Token: SeDebugPrivilege 2716 795f466f1d7046801dff29d26e922b35.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2468 2668 795f466f1d7046801dff29d26e922b35.exe 28 PID 2668 wrote to memory of 2468 2668 795f466f1d7046801dff29d26e922b35.exe 28 PID 2668 wrote to memory of 2468 2668 795f466f1d7046801dff29d26e922b35.exe 28 PID 2668 wrote to memory of 2468 2668 795f466f1d7046801dff29d26e922b35.exe 28 PID 2668 wrote to memory of 2728 2668 795f466f1d7046801dff29d26e922b35.exe 29 PID 2668 wrote to memory of 2728 2668 795f466f1d7046801dff29d26e922b35.exe 29 PID 2668 wrote to memory of 2728 2668 795f466f1d7046801dff29d26e922b35.exe 29 PID 2668 wrote to memory of 2728 2668 795f466f1d7046801dff29d26e922b35.exe 29 PID 2668 wrote to memory of 2716 2668 795f466f1d7046801dff29d26e922b35.exe 30 PID 2668 wrote to memory of 2716 2668 795f466f1d7046801dff29d26e922b35.exe 30 PID 2668 wrote to memory of 2716 2668 795f466f1d7046801dff29d26e922b35.exe 30 PID 2668 wrote to memory of 2716 2668 795f466f1d7046801dff29d26e922b35.exe 30 PID 2668 wrote to memory of 2716 2668 795f466f1d7046801dff29d26e922b35.exe 30 PID 2668 wrote to memory of 2716 2668 795f466f1d7046801dff29d26e922b35.exe 30 PID 2668 wrote to memory of 2716 2668 795f466f1d7046801dff29d26e922b35.exe 30 PID 2668 wrote to memory of 2716 2668 795f466f1d7046801dff29d26e922b35.exe 30 PID 2668 wrote to memory of 2716 2668 795f466f1d7046801dff29d26e922b35.exe 30 PID 2716 wrote to memory of 2836 2716 795f466f1d7046801dff29d26e922b35.exe 31 PID 2716 wrote to memory of 2836 2716 795f466f1d7046801dff29d26e922b35.exe 31 PID 2716 wrote to memory of 2836 2716 795f466f1d7046801dff29d26e922b35.exe 31 PID 2716 wrote to memory of 2836 2716 795f466f1d7046801dff29d26e922b35.exe 31 PID 2716 wrote to memory of 1236 2716 795f466f1d7046801dff29d26e922b35.exe 33 PID 2716 wrote to memory of 1236 2716 795f466f1d7046801dff29d26e922b35.exe 33 PID 2716 wrote to memory of 1236 2716 795f466f1d7046801dff29d26e922b35.exe 33 PID 2716 wrote to memory of 1236 2716 795f466f1d7046801dff29d26e922b35.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"2⤵PID:2468
-
-
C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"2⤵PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4A1A.tmp"3⤵
- Creates scheduled task(s)
PID:2836
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4CAB.tmp"3⤵
- Creates scheduled task(s)
PID:1236
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51e066fb33041a599e72459f8e659972e
SHA11c4787d843093c56a328003247a74b23238224e7
SHA25644d6b3fbd67563b2f32086a6ec66d726db9ef425821af249ece97da48854d361
SHA512f1e8d8055951009a3289a4237df6597cd0aac83ba5b379f535b127459c8e04ddcf2e17346840a180409f4ed212113b3f9545e2e623b9a6e203bca4e35ff9e395
-
Filesize
1KB
MD5819bdbdac3be050783d203020e6c4c30
SHA1a373521fceb21cac8b93e55ee48578e40a6e740b
SHA2560e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053
SHA512cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd