Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/02/2024, 05:49
Static task
static1
Behavioral task
behavioral1
Sample
a118dfe5b9dfaa5fc6819d8e9292a2f6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a118dfe5b9dfaa5fc6819d8e9292a2f6.exe
Resource
win10v2004-20240221-en
General
-
Target
a118dfe5b9dfaa5fc6819d8e9292a2f6.exe
-
Size
1.1MB
-
MD5
a118dfe5b9dfaa5fc6819d8e9292a2f6
-
SHA1
7248a337d145e30b104aa5e0b769b20ff11ed0df
-
SHA256
77eb19ad6576fd74501a40e59f23273d430b66eed7c7efe95f50f1b7b0ffa3db
-
SHA512
0a5163d47dd7b2ba38c227db4c141d4e2c7a22776fc1e1b05558d961be036b1f1d437db13fb7c67bbebb8f8a6eea0587e9c175c25afbcf86ad506b4d2269280e
-
SSDEEP
24576:oURxV5Qk44owLqYTCOiDFXRIr3mFJoSI15kXiLICm49:oAxnrfoeqrOKFXR+3+of1qSU49
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2588 svchost.exe 2548 svchost.exe -
Loads dropped DLL 4 IoCs
pid Process 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Keygen.exe" a118dfe5b9dfaa5fc6819d8e9292a2f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Keygen.exe" a118dfe5b9dfaa5fc6819d8e9292a2f6.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2244 set thread context of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2544 set thread context of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe Token: SeDebugPrivilege 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe Token: SeIncreaseQuotaPrivilege 2588 svchost.exe Token: SeSecurityPrivilege 2588 svchost.exe Token: SeTakeOwnershipPrivilege 2588 svchost.exe Token: SeLoadDriverPrivilege 2588 svchost.exe Token: SeSystemProfilePrivilege 2588 svchost.exe Token: SeSystemtimePrivilege 2588 svchost.exe Token: SeProfSingleProcessPrivilege 2588 svchost.exe Token: SeIncBasePriorityPrivilege 2588 svchost.exe Token: SeCreatePagefilePrivilege 2588 svchost.exe Token: SeBackupPrivilege 2588 svchost.exe Token: SeRestorePrivilege 2588 svchost.exe Token: SeShutdownPrivilege 2588 svchost.exe Token: SeDebugPrivilege 2588 svchost.exe Token: SeSystemEnvironmentPrivilege 2588 svchost.exe Token: SeChangeNotifyPrivilege 2588 svchost.exe Token: SeRemoteShutdownPrivilege 2588 svchost.exe Token: SeUndockPrivilege 2588 svchost.exe Token: SeManageVolumePrivilege 2588 svchost.exe Token: SeImpersonatePrivilege 2588 svchost.exe Token: SeCreateGlobalPrivilege 2588 svchost.exe Token: 33 2588 svchost.exe Token: 34 2588 svchost.exe Token: 35 2588 svchost.exe Token: SeIncreaseQuotaPrivilege 2548 svchost.exe Token: SeSecurityPrivilege 2548 svchost.exe Token: SeTakeOwnershipPrivilege 2548 svchost.exe Token: SeLoadDriverPrivilege 2548 svchost.exe Token: SeSystemProfilePrivilege 2548 svchost.exe Token: SeSystemtimePrivilege 2548 svchost.exe Token: SeProfSingleProcessPrivilege 2548 svchost.exe Token: SeIncBasePriorityPrivilege 2548 svchost.exe Token: SeCreatePagefilePrivilege 2548 svchost.exe Token: SeBackupPrivilege 2548 svchost.exe Token: SeRestorePrivilege 2548 svchost.exe Token: SeShutdownPrivilege 2548 svchost.exe Token: SeDebugPrivilege 2548 svchost.exe Token: SeSystemEnvironmentPrivilege 2548 svchost.exe Token: SeChangeNotifyPrivilege 2548 svchost.exe Token: SeRemoteShutdownPrivilege 2548 svchost.exe Token: SeUndockPrivilege 2548 svchost.exe Token: SeManageVolumePrivilege 2548 svchost.exe Token: SeImpersonatePrivilege 2548 svchost.exe Token: SeCreateGlobalPrivilege 2548 svchost.exe Token: 33 2548 svchost.exe Token: 34 2548 svchost.exe Token: 35 2548 svchost.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2588 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 28 PID 2244 wrote to memory of 2544 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 29 PID 2244 wrote to memory of 2544 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 29 PID 2244 wrote to memory of 2544 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 29 PID 2244 wrote to memory of 2544 2244 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 29 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30 PID 2544 wrote to memory of 2548 2544 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a118dfe5b9dfaa5fc6819d8e9292a2f6.exe"C:\Users\Admin\AppData\Local\Temp\a118dfe5b9dfaa5fc6819d8e9292a2f6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\a118dfe5b9dfaa5fc6819d8e9292a2f6.exe"C:\Users\Admin\AppData\Local\Temp\a118dfe5b9dfaa5fc6819d8e9292a2f6.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57c32886c3cd06d6036c0462301ad289c
SHA1a0a54552a7ecf7082bac0af6c5bca610225b05df
SHA25672c341969754f9e11b85119ca8db22eba2f4a6173c6bac14a032360073799009
SHA51208613b8dc53125c6ff051a98989eb9c4eb447ad05243db1b956ae2969e8463c2a216ed6873274d5b3e890307ad219d761324aa702b3ee45f776b80336147d523