Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
a2a9aa7d747dc872400ced400f162bfa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a2a9aa7d747dc872400ced400f162bfa.exe
Resource
win10v2004-20240221-en
General
-
Target
a2a9aa7d747dc872400ced400f162bfa.exe
-
Size
1.1MB
-
MD5
a2a9aa7d747dc872400ced400f162bfa
-
SHA1
c7c900a9b5341975beef45d15acaf24d93e0e42d
-
SHA256
f5f0bd9714c7b145305035b817957668e9ac5f1aac855ae82a638011e6860488
-
SHA512
8ee2ed9b131091fb6ab2103117fbc69f7337dd2d1bf7db2c0dd30d12ac637a4302b1c86350232259a9a81fd3601f222b75731759a69528e0cf3d60383678c053
-
SSDEEP
24576:fi/ilk3kas5dc3N9rN6s0lcdEE+6hkknUnk3nnUm:6ek3kas5CNhN6RlcdELQ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" a2a9aa7d747dc872400ced400f162bfa.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a2a9aa7d747dc872400ced400f162bfa.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" a2a9aa7d747dc872400ced400f162bfa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1660 set thread context of 4528 1660 a2a9aa7d747dc872400ced400f162bfa.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1980 4528 WerFault.exe 91 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a2a9aa7d747dc872400ced400f162bfa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a2a9aa7d747dc872400ced400f162bfa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a2a9aa7d747dc872400ced400f162bfa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a2a9aa7d747dc872400ced400f162bfa.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a2a9aa7d747dc872400ced400f162bfa.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeSecurityPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeTakeOwnershipPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeLoadDriverPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeSystemProfilePrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeSystemtimePrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeProfSingleProcessPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeIncBasePriorityPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeCreatePagefilePrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeBackupPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeRestorePrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeShutdownPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeDebugPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeSystemEnvironmentPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeChangeNotifyPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeRemoteShutdownPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeUndockPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeManageVolumePrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeImpersonatePrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: SeCreateGlobalPrivilege 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: 33 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: 34 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: 35 1660 a2a9aa7d747dc872400ced400f162bfa.exe Token: 36 1660 a2a9aa7d747dc872400ced400f162bfa.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 2244 1660 a2a9aa7d747dc872400ced400f162bfa.exe 87 PID 1660 wrote to memory of 4528 1660 a2a9aa7d747dc872400ced400f162bfa.exe 91 PID 1660 wrote to memory of 4528 1660 a2a9aa7d747dc872400ced400f162bfa.exe 91 PID 1660 wrote to memory of 4528 1660 a2a9aa7d747dc872400ced400f162bfa.exe 91 PID 1660 wrote to memory of 4528 1660 a2a9aa7d747dc872400ced400f162bfa.exe 91 PID 1660 wrote to memory of 4528 1660 a2a9aa7d747dc872400ced400f162bfa.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2a9aa7d747dc872400ced400f162bfa.exe"C:\Users\Admin\AppData\Local\Temp\a2a9aa7d747dc872400ced400f162bfa.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
PID:2244
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵PID:4528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 2523⤵
- Program crash
PID:1980
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4528 -ip 45281⤵PID:1768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5a2a9aa7d747dc872400ced400f162bfa
SHA1c7c900a9b5341975beef45d15acaf24d93e0e42d
SHA256f5f0bd9714c7b145305035b817957668e9ac5f1aac855ae82a638011e6860488
SHA5128ee2ed9b131091fb6ab2103117fbc69f7337dd2d1bf7db2c0dd30d12ac637a4302b1c86350232259a9a81fd3601f222b75731759a69528e0cf3d60383678c053