Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/02/2024, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
a2a9aa7d747dc872400ced400f162bfa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a2a9aa7d747dc872400ced400f162bfa.exe
Resource
win10v2004-20240221-en
General
-
Target
a2a9aa7d747dc872400ced400f162bfa.exe
-
Size
1.1MB
-
MD5
a2a9aa7d747dc872400ced400f162bfa
-
SHA1
c7c900a9b5341975beef45d15acaf24d93e0e42d
-
SHA256
f5f0bd9714c7b145305035b817957668e9ac5f1aac855ae82a638011e6860488
-
SHA512
8ee2ed9b131091fb6ab2103117fbc69f7337dd2d1bf7db2c0dd30d12ac637a4302b1c86350232259a9a81fd3601f222b75731759a69528e0cf3d60383678c053
-
SSDEEP
24576:fi/ilk3kas5dc3N9rN6s0lcdEE+6hkknUnk3nnUm:6ek3kas5CNhN6RlcdELQ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" a2a9aa7d747dc872400ced400f162bfa.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a2a9aa7d747dc872400ced400f162bfa.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" a2a9aa7d747dc872400ced400f162bfa.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2180 set thread context of 2572 2180 a2a9aa7d747dc872400ced400f162bfa.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2616 2572 WerFault.exe 32 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a2a9aa7d747dc872400ced400f162bfa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a2a9aa7d747dc872400ced400f162bfa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a2a9aa7d747dc872400ced400f162bfa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a2a9aa7d747dc872400ced400f162bfa.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a2a9aa7d747dc872400ced400f162bfa.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeSecurityPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeTakeOwnershipPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeLoadDriverPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeSystemProfilePrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeSystemtimePrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeProfSingleProcessPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeIncBasePriorityPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeCreatePagefilePrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeBackupPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeRestorePrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeShutdownPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeDebugPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeSystemEnvironmentPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeChangeNotifyPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeRemoteShutdownPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeUndockPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeManageVolumePrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeImpersonatePrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeCreateGlobalPrivilege 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: 33 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: 34 2180 a2a9aa7d747dc872400ced400f162bfa.exe Token: 35 2180 a2a9aa7d747dc872400ced400f162bfa.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2900 DllHost.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2392 2180 a2a9aa7d747dc872400ced400f162bfa.exe 28 PID 2180 wrote to memory of 2572 2180 a2a9aa7d747dc872400ced400f162bfa.exe 32 PID 2180 wrote to memory of 2572 2180 a2a9aa7d747dc872400ced400f162bfa.exe 32 PID 2180 wrote to memory of 2572 2180 a2a9aa7d747dc872400ced400f162bfa.exe 32 PID 2180 wrote to memory of 2572 2180 a2a9aa7d747dc872400ced400f162bfa.exe 32 PID 2180 wrote to memory of 2572 2180 a2a9aa7d747dc872400ced400f162bfa.exe 32 PID 2180 wrote to memory of 2572 2180 a2a9aa7d747dc872400ced400f162bfa.exe 32 PID 2572 wrote to memory of 2616 2572 explorer.exe 33 PID 2572 wrote to memory of 2616 2572 explorer.exe 33 PID 2572 wrote to memory of 2616 2572 explorer.exe 33 PID 2572 wrote to memory of 2616 2572 explorer.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2a9aa7d747dc872400ced400f162bfa.exe"C:\Users\Admin\AppData\Local\Temp\a2a9aa7d747dc872400ced400f162bfa.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
PID:2392
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 923⤵
- Program crash
PID:2616
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5b8a5444c4c6265114d28c257acf8fedc
SHA1c0c62d4b07a9e6123438a1f3b8f71dfb698fae0c
SHA2562c0d316e5a9cf5ed7b80750330e4086a89c0156871cfdf6b6c672387434ae826
SHA5128b90c41655ce2015c830f4c2ede060d7e8100bec9d88320c726663989f2df3d43ce22dc2958674c530f65c57505992b1be7e356937a17c6f2f32859b12358cde