Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 08:19
Static task
static1
Behavioral task
behavioral1
Sample
98ee48860712d3c06c3a4aa31c14de3a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
98ee48860712d3c06c3a4aa31c14de3a.exe
Resource
win10v2004-20231215-en
General
-
Target
98ee48860712d3c06c3a4aa31c14de3a.exe
-
Size
69KB
-
MD5
98ee48860712d3c06c3a4aa31c14de3a
-
SHA1
f36cb20f9663051d1eacfe0543e5449f958b7587
-
SHA256
60bf7b23526f36710f4ef589273d92cc21d45a996c09af9a4be52368c3233af6
-
SHA512
49e2982dc220a6fcde0782f7b3637972533b8c8e5821a685bfda65dd4df5d85e6dc11d725ecc7388c9bb81dddea3dac82ee9064cd276d3cdfa7a50c5be9a19a2
-
SSDEEP
1536:kMbuxfmDShn8doSSW02UAll71xCJ6Kyvd656jpI9MtUL+mAd7A2DDf27Gz:kMbupmOWHSW02U+xCJ/yvE4anin62DDB
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2276 tmp5B59.tmp -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\SysNt Corp\settings.ini tmp5B59.tmp -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp5B59.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString tmp5B59.tmp -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings explorer.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2276 2252 98ee48860712d3c06c3a4aa31c14de3a.exe 28 PID 2252 wrote to memory of 2276 2252 98ee48860712d3c06c3a4aa31c14de3a.exe 28 PID 2252 wrote to memory of 2276 2252 98ee48860712d3c06c3a4aa31c14de3a.exe 28 PID 2252 wrote to memory of 2276 2252 98ee48860712d3c06c3a4aa31c14de3a.exe 28 PID 2276 wrote to memory of 1860 2276 tmp5B59.tmp 30 PID 2276 wrote to memory of 1860 2276 tmp5B59.tmp 30 PID 2276 wrote to memory of 1860 2276 tmp5B59.tmp 30 PID 2276 wrote to memory of 1860 2276 tmp5B59.tmp 30 PID 1860 wrote to memory of 2352 1860 runas.exe 31 PID 1860 wrote to memory of 2352 1860 runas.exe 31 PID 1860 wrote to memory of 2352 1860 runas.exe 31 PID 1860 wrote to memory of 2352 1860 runas.exe 31 PID 2352 wrote to memory of 2788 2352 explorer.exe 32 PID 2352 wrote to memory of 2788 2352 explorer.exe 32 PID 2352 wrote to memory of 2788 2352 explorer.exe 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\98ee48860712d3c06c3a4aa31c14de3a.exe"C:\Users\Admin\AppData\Local\Temp\98ee48860712d3c06c3a4aa31c14de3a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\tmp5B59.tmp"C:\Users\Admin\AppData\Local\Temp\tmp5B59.tmp"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\runas.exerunas /trustlevel:0x20000 C:\Windows\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\explorer.exeC:\Windows\explorer.exe4⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\system32\ctfmon.exectfmon.exe5⤵PID:2788
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5ff672b6d51815ef9c86e163bfd23f1a5
SHA1e4a08257258bc59d67992d762d60ea34f08a6b9d
SHA2565ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace
SHA512d957e4e27e6eb10de02d032fbba52918dc9aa67c350b593463e9756fc8c91208a2065d35f13585b60414df5e19ed5f68aadbcb69630fc02b9a0201761064fd57