Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 05:19
Static task
static1
Behavioral task
behavioral1
Sample
795f466f1d7046801dff29d26e922b35.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
795f466f1d7046801dff29d26e922b35.exe
Resource
win10v2004-20231215-en
General
-
Target
795f466f1d7046801dff29d26e922b35.exe
-
Size
906KB
-
MD5
795f466f1d7046801dff29d26e922b35
-
SHA1
95d942b20ec16b4311e35cfb12a94293cad69851
-
SHA256
81c5ece1954156740f639f838730f9f27f2dbb17b7752f525a715d4bc0fa03e8
-
SHA512
81aab8bb72c1c379d40dd50572c748b296a83dde127ecae441140ba0fe40da9609ad629e5d3a67cae1069183ee3db3e3cbb8fcbd72ef7d24528a758121ee21ca
-
SSDEEP
24576:ahkYErrvfgKDMq4SiagonfDb451LHCKjZOlNr45cIzCAxOj9mNL6rGB4:1YarIOMq4ShffDUPLi3P4D
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 4716 dw20.exe Token: SeBackupPrivilege 4716 dw20.exe Token: SeBackupPrivilege 4716 dw20.exe Token: SeBackupPrivilege 4716 dw20.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2724 wrote to memory of 4716 2724 795f466f1d7046801dff29d26e922b35.exe 88 PID 2724 wrote to memory of 4716 2724 795f466f1d7046801dff29d26e922b35.exe 88 PID 2724 wrote to memory of 4716 2724 795f466f1d7046801dff29d26e922b35.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 10762⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4716
-