Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/02/2024, 05:38
Static task
static1
Behavioral task
behavioral1
Sample
a113e103d28318c83c0d625de33e089b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a113e103d28318c83c0d625de33e089b.exe
Resource
win10v2004-20240221-en
General
-
Target
a113e103d28318c83c0d625de33e089b.exe
-
Size
488KB
-
MD5
a113e103d28318c83c0d625de33e089b
-
SHA1
023dc01fcf484ee6f23fa7f7e943a78528b5ee21
-
SHA256
051ca838d355275a998d6e3153244826c7c2fe090e775cd99063ddcce30277a5
-
SHA512
b664d85b93807c0feb7e1f9449dd505c62176786c86ddf5ddf497a8804d424fe8b30ef9a05aa298d48409fccdbbfb38dc2a0f4375de6c35f420203c850561fc8
-
SSDEEP
6144:l3H5tJ9MUsdOKKqLkMqIKdueMAgl7Qf2NaSUO9FsLeWhDER:l3HR79yVqIKseiukQOTsJh4R
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\After.exe" a113e103d28318c83c0d625de33e089b.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a113e103d28318c83c0d625de33e089b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate After.exe -
Executes dropped EXE 2 IoCs
pid Process 2596 After.exe 2168 After.exe -
Loads dropped DLL 3 IoCs
pid Process 2528 a113e103d28318c83c0d625de33e089b.exe 2528 a113e103d28318c83c0d625de33e089b.exe 2596 After.exe -
resource yara_rule behavioral1/memory/2528-4-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2528-2-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2528-5-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2528-7-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2528-6-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2528-9-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2528-33-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-41-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-43-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-45-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-46-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-47-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-48-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-49-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-50-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-51-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-52-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-53-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-54-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-55-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-56-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-57-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-58-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-59-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-60-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-61-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-62-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-63-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2168-64-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nightmob = "C:\\Users\\Admin\\Documents\\After.exe" a113e103d28318c83c0d625de33e089b.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum a113e103d28318c83c0d625de33e089b.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\nu a113e103d28318c83c0d625de33e089b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\nu explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum After.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\nu After.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3024 set thread context of 2528 3024 a113e103d28318c83c0d625de33e089b.exe 28 PID 2528 set thread context of 2748 2528 a113e103d28318c83c0d625de33e089b.exe 29 PID 2748 set thread context of 2568 2748 explorer.exe 30 PID 2596 set thread context of 2168 2596 After.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString After.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier After.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier After.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a113e103d28318c83c0d625de33e089b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a113e103d28318c83c0d625de33e089b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a113e103d28318c83c0d625de33e089b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a113e103d28318c83c0d625de33e089b.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 After.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a113e103d28318c83c0d625de33e089b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier After.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2456 ping.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeSecurityPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeTakeOwnershipPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeLoadDriverPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeSystemProfilePrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeSystemtimePrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeProfSingleProcessPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeIncBasePriorityPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeCreatePagefilePrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeBackupPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeRestorePrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeShutdownPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeDebugPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeSystemEnvironmentPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeChangeNotifyPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeRemoteShutdownPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeUndockPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeManageVolumePrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeImpersonatePrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeCreateGlobalPrivilege 2528 a113e103d28318c83c0d625de33e089b.exe Token: 33 2528 a113e103d28318c83c0d625de33e089b.exe Token: 34 2528 a113e103d28318c83c0d625de33e089b.exe Token: 35 2528 a113e103d28318c83c0d625de33e089b.exe Token: SeIncreaseQuotaPrivilege 2168 After.exe Token: SeSecurityPrivilege 2168 After.exe Token: SeTakeOwnershipPrivilege 2168 After.exe Token: SeLoadDriverPrivilege 2168 After.exe Token: SeSystemProfilePrivilege 2168 After.exe Token: SeSystemtimePrivilege 2168 After.exe Token: SeProfSingleProcessPrivilege 2168 After.exe Token: SeIncBasePriorityPrivilege 2168 After.exe Token: SeCreatePagefilePrivilege 2168 After.exe Token: SeBackupPrivilege 2168 After.exe Token: SeRestorePrivilege 2168 After.exe Token: SeShutdownPrivilege 2168 After.exe Token: SeDebugPrivilege 2168 After.exe Token: SeSystemEnvironmentPrivilege 2168 After.exe Token: SeChangeNotifyPrivilege 2168 After.exe Token: SeRemoteShutdownPrivilege 2168 After.exe Token: SeUndockPrivilege 2168 After.exe Token: SeManageVolumePrivilege 2168 After.exe Token: SeImpersonatePrivilege 2168 After.exe Token: SeCreateGlobalPrivilege 2168 After.exe Token: 33 2168 After.exe Token: 34 2168 After.exe Token: 35 2168 After.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3024 a113e103d28318c83c0d625de33e089b.exe 2748 explorer.exe 2596 After.exe 2168 After.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2528 3024 a113e103d28318c83c0d625de33e089b.exe 28 PID 3024 wrote to memory of 2528 3024 a113e103d28318c83c0d625de33e089b.exe 28 PID 3024 wrote to memory of 2528 3024 a113e103d28318c83c0d625de33e089b.exe 28 PID 3024 wrote to memory of 2528 3024 a113e103d28318c83c0d625de33e089b.exe 28 PID 3024 wrote to memory of 2528 3024 a113e103d28318c83c0d625de33e089b.exe 28 PID 3024 wrote to memory of 2528 3024 a113e103d28318c83c0d625de33e089b.exe 28 PID 3024 wrote to memory of 2528 3024 a113e103d28318c83c0d625de33e089b.exe 28 PID 3024 wrote to memory of 2528 3024 a113e103d28318c83c0d625de33e089b.exe 28 PID 3024 wrote to memory of 2528 3024 a113e103d28318c83c0d625de33e089b.exe 28 PID 2528 wrote to memory of 2748 2528 a113e103d28318c83c0d625de33e089b.exe 29 PID 2528 wrote to memory of 2748 2528 a113e103d28318c83c0d625de33e089b.exe 29 PID 2528 wrote to memory of 2748 2528 a113e103d28318c83c0d625de33e089b.exe 29 PID 2528 wrote to memory of 2748 2528 a113e103d28318c83c0d625de33e089b.exe 29 PID 2528 wrote to memory of 2748 2528 a113e103d28318c83c0d625de33e089b.exe 29 PID 2528 wrote to memory of 2748 2528 a113e103d28318c83c0d625de33e089b.exe 29 PID 2748 wrote to memory of 2568 2748 explorer.exe 30 PID 2748 wrote to memory of 2568 2748 explorer.exe 30 PID 2748 wrote to memory of 2568 2748 explorer.exe 30 PID 2748 wrote to memory of 2568 2748 explorer.exe 30 PID 2748 wrote to memory of 2568 2748 explorer.exe 30 PID 2748 wrote to memory of 2568 2748 explorer.exe 30 PID 2748 wrote to memory of 2568 2748 explorer.exe 30 PID 2748 wrote to memory of 2568 2748 explorer.exe 30 PID 2748 wrote to memory of 2568 2748 explorer.exe 30 PID 2528 wrote to memory of 2596 2528 a113e103d28318c83c0d625de33e089b.exe 31 PID 2528 wrote to memory of 2596 2528 a113e103d28318c83c0d625de33e089b.exe 31 PID 2528 wrote to memory of 2596 2528 a113e103d28318c83c0d625de33e089b.exe 31 PID 2528 wrote to memory of 2596 2528 a113e103d28318c83c0d625de33e089b.exe 31 PID 2528 wrote to memory of 2456 2528 a113e103d28318c83c0d625de33e089b.exe 32 PID 2528 wrote to memory of 2456 2528 a113e103d28318c83c0d625de33e089b.exe 32 PID 2528 wrote to memory of 2456 2528 a113e103d28318c83c0d625de33e089b.exe 32 PID 2528 wrote to memory of 2456 2528 a113e103d28318c83c0d625de33e089b.exe 32 PID 2596 wrote to memory of 2168 2596 After.exe 34 PID 2596 wrote to memory of 2168 2596 After.exe 34 PID 2596 wrote to memory of 2168 2596 After.exe 34 PID 2596 wrote to memory of 2168 2596 After.exe 34 PID 2596 wrote to memory of 2168 2596 After.exe 34 PID 2596 wrote to memory of 2168 2596 After.exe 34 PID 2596 wrote to memory of 2168 2596 After.exe 34 PID 2596 wrote to memory of 2168 2596 After.exe 34 PID 2596 wrote to memory of 2168 2596 After.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a113e103d28318c83c0d625de33e089b.exe"C:\Users\Admin\AppData\Local\Temp\a113e103d28318c83c0d625de33e089b.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\a113e103d28318c83c0d625de33e089b.exeC:\Users\Admin\AppData\Local\Temp\a113e103d28318c83c0d625de33e089b.exe2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵PID:2568
-
-
-
C:\Users\Admin\Documents\After.exe"C:\Users\Admin\Documents\After.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\Documents\After.exeC:\Users\Admin\Documents\After.exe4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2168
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\a113e103d28318c83c0d625de33e089b.exe"3⤵
- Runs ping.exe
PID:2456
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD5a113e103d28318c83c0d625de33e089b
SHA1023dc01fcf484ee6f23fa7f7e943a78528b5ee21
SHA256051ca838d355275a998d6e3153244826c7c2fe090e775cd99063ddcce30277a5
SHA512b664d85b93807c0feb7e1f9449dd505c62176786c86ddf5ddf497a8804d424fe8b30ef9a05aa298d48409fccdbbfb38dc2a0f4375de6c35f420203c850561fc8