Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16-02-2024 04:33
Behavioral task
behavioral1
Sample
9f73e803223c0bf72ad91341d8f4c24d.exe
Resource
win7-20231215-en
11 signatures
150 seconds
General
-
Target
9f73e803223c0bf72ad91341d8f4c24d.exe
-
Size
1.1MB
-
MD5
9f73e803223c0bf72ad91341d8f4c24d
-
SHA1
3a11680d0969423ab5f63e104c65cf0fc88901b8
-
SHA256
47762ead584529301063c560e505998a8a5a50749cd34c6313a90ae69b58d1c5
-
SHA512
c190aec73a8c1e15b044c6867a32a78955393d5e69002fa478c0772d148f8275348a32f2088dde71d90d8193634bba132b84b070615e8b1d663a08094376d2dd
-
SSDEEP
24576:QU1uUHG/7vZKGVlfumMH8NS59MQ4CwNOt7X6r0gRf45PqCCF:f13Ahrb2Lcg59f4VNOtLk0x5PqtF
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
9f73e803223c0bf72ad91341d8f4c24d.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" 9f73e803223c0bf72ad91341d8f4c24d.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9f73e803223c0bf72ad91341d8f4c24d.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" 9f73e803223c0bf72ad91341d8f4c24d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9f73e803223c0bf72ad91341d8f4c24d.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
9f73e803223c0bf72ad91341d8f4c24d.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{S51WBUUR-D7V7-PQ55-P3S1-3OU486WMJ44P} 9f73e803223c0bf72ad91341d8f4c24d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{S51WBUUR-D7V7-PQ55-P3S1-3OU486WMJ44P}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" 9f73e803223c0bf72ad91341d8f4c24d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9f73e803223c0bf72ad91341d8f4c24d.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" 9f73e803223c0bf72ad91341d8f4c24d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" 9f73e803223c0bf72ad91341d8f4c24d.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
9f73e803223c0bf72ad91341d8f4c24d.exedescription ioc Process File opened for modification \??\PhysicalDrive0 9f73e803223c0bf72ad91341d8f4c24d.exe -
Drops file in System32 directory 2 IoCs
Processes:
9f73e803223c0bf72ad91341d8f4c24d.exedescription ioc Process File created C:\Windows\SysWOW64\install\server.exe 9f73e803223c0bf72ad91341d8f4c24d.exe File opened for modification C:\Windows\SysWOW64\install\server.exe 9f73e803223c0bf72ad91341d8f4c24d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9f73e803223c0bf72ad91341d8f4c24d.exedescription pid Process procid_target PID 2472 set thread context of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 -
Modifies registry class 3 IoCs
Processes:
9f73e803223c0bf72ad91341d8f4c24d.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key 9f73e803223c0bf72ad91341d8f4c24d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ 9f73e803223c0bf72ad91341d8f4c24d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" 9f73e803223c0bf72ad91341d8f4c24d.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9f73e803223c0bf72ad91341d8f4c24d.exepid Process 2608 9f73e803223c0bf72ad91341d8f4c24d.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
9f73e803223c0bf72ad91341d8f4c24d.exepid Process 2608 9f73e803223c0bf72ad91341d8f4c24d.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
9f73e803223c0bf72ad91341d8f4c24d.exepid Process 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 2472 9f73e803223c0bf72ad91341d8f4c24d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9f73e803223c0bf72ad91341d8f4c24d.exe9f73e803223c0bf72ad91341d8f4c24d.exedescription pid Process procid_target PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2472 wrote to memory of 2608 2472 9f73e803223c0bf72ad91341d8f4c24d.exe 28 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12 PID 2608 wrote to memory of 1260 2608 9f73e803223c0bf72ad91341d8f4c24d.exe 12
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\9f73e803223c0bf72ad91341d8f4c24d.exe"C:\Users\Admin\AppData\Local\Temp\9f73e803223c0bf72ad91341d8f4c24d.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\9f73e803223c0bf72ad91341d8f4c24d.exeC:\Users\Admin\AppData\Local\Temp\9f73e803223c0bf72ad91341d8f4c24d.exe3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2880
-
-
-