Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 14:43
Static task
static1
Behavioral task
behavioral1
Sample
9766e7ddc378b7065a9e65358e33eb8a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9766e7ddc378b7065a9e65358e33eb8a.exe
Resource
win10v2004-20231215-en
General
-
Target
9766e7ddc378b7065a9e65358e33eb8a.exe
-
Size
19KB
-
MD5
9766e7ddc378b7065a9e65358e33eb8a
-
SHA1
786eb85a966bd54e5ecceaf00e30d99acbe7f79c
-
SHA256
6e431c7aee915cce561fe3aed14986d8896bd896c6293a3cfddf833cc0e75e22
-
SHA512
f07c7e1ad785d396792ee37271ca563f68baee894130028b33f0e1fa04acb613639aa5646dbe5f6c533ec228d5b651520aef29697dac295c7905e181c043979f
-
SSDEEP
384:5HELvrNTsqTmmFCe46gI5xVtv4i6zz1NzzV6qZ9zhYQoW9:5HKvBbTmmAe9xV5j6FNzz3zhYQ
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\msupdate\ImagePath = "c:\\windows\\system32\\mssrv32.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 1480 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\mssrv32.exe 9766e7ddc378b7065a9e65358e33eb8a.exe File created \??\c:\windows\SysWOW64\mssrv32.exe 9766e7ddc378b7065a9e65358e33eb8a.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 772 set thread context of 1480 772 9766e7ddc378b7065a9e65358e33eb8a.exe 85 -
Program crash 1 IoCs
pid pid_target Process procid_target 1388 1480 WerFault.exe 85 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3056 9766e7ddc378b7065a9e65358e33eb8a.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3056 wrote to memory of 772 3056 9766e7ddc378b7065a9e65358e33eb8a.exe 84 PID 3056 wrote to memory of 772 3056 9766e7ddc378b7065a9e65358e33eb8a.exe 84 PID 3056 wrote to memory of 772 3056 9766e7ddc378b7065a9e65358e33eb8a.exe 84 PID 772 wrote to memory of 1480 772 9766e7ddc378b7065a9e65358e33eb8a.exe 85 PID 772 wrote to memory of 1480 772 9766e7ddc378b7065a9e65358e33eb8a.exe 85 PID 772 wrote to memory of 1480 772 9766e7ddc378b7065a9e65358e33eb8a.exe 85 PID 772 wrote to memory of 1480 772 9766e7ddc378b7065a9e65358e33eb8a.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\9766e7ddc378b7065a9e65358e33eb8a.exe"C:\Users\Admin\AppData\Local\Temp\9766e7ddc378b7065a9e65358e33eb8a.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\users\admin\appdata\local\temp\9766e7ddc378b7065a9e65358e33eb8a.exec:\users\admin\appdata\local\temp\9766e7ddc378b7065a9e65358e33eb8a.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Sets service image path in registry
- Deletes itself
PID:1480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 3484⤵
- Program crash
PID:1388
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1480 -ip 14801⤵PID:4496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD59766e7ddc378b7065a9e65358e33eb8a
SHA1786eb85a966bd54e5ecceaf00e30d99acbe7f79c
SHA2566e431c7aee915cce561fe3aed14986d8896bd896c6293a3cfddf833cc0e75e22
SHA512f07c7e1ad785d396792ee37271ca563f68baee894130028b33f0e1fa04acb613639aa5646dbe5f6c533ec228d5b651520aef29697dac295c7905e181c043979f