Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
ac73a098fc0087786195da49233085df.exe
Resource
win7-20240220-en
General
-
Target
ac73a098fc0087786195da49233085df.exe
-
Size
107KB
-
MD5
ac73a098fc0087786195da49233085df
-
SHA1
d3e97fa079bdee8db1b62dd9985328c77de8658f
-
SHA256
26a3e1ab7bb8e247aa5c111171cd2ef7bc5cef6eac57b8cd1892bb46e3ede61b
-
SHA512
8aad6af134c72f6166bf983b07994831e9b522d98cc3eff0d70c98ce476cb21d2c6e1d3320251bfcf399eb704eaf603c1342135eb1d01a089674f68b696b2218
-
SSDEEP
3072:BOlMfxs5l0ecVmSK8IT5wKFxmwRDOU+SrO1azi:BUEsswStowQmwAUFrEazi
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1284 sss2.exe -
resource yara_rule behavioral2/memory/1556-1-0x00000000022E0000-0x0000000003313000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\sss2.exe ac73a098fc0087786195da49233085df.exe File opened for modification C:\Windows\SysWOW64\sss2.exe ac73a098fc0087786195da49233085df.exe File created C:\Windows\SysWOW64\sss2.exe sss2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1556 ac73a098fc0087786195da49233085df.exe Token: SeIncBasePriorityPrivilege 1284 sss2.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1556 wrote to memory of 1284 1556 ac73a098fc0087786195da49233085df.exe 86 PID 1556 wrote to memory of 1284 1556 ac73a098fc0087786195da49233085df.exe 86 PID 1556 wrote to memory of 1284 1556 ac73a098fc0087786195da49233085df.exe 86 PID 1556 wrote to memory of 2284 1556 ac73a098fc0087786195da49233085df.exe 87 PID 1556 wrote to memory of 2284 1556 ac73a098fc0087786195da49233085df.exe 87 PID 1556 wrote to memory of 2284 1556 ac73a098fc0087786195da49233085df.exe 87 PID 1284 wrote to memory of 1776 1284 sss2.exe 88 PID 1284 wrote to memory of 1776 1284 sss2.exe 88 PID 1284 wrote to memory of 1776 1284 sss2.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe"C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\sss2.exe"C:\Windows\system32\sss2.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\sss2.exe > nul3⤵PID:1776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\AC73A0~1.EXE > nul2⤵PID:2284
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD5ac73a098fc0087786195da49233085df
SHA1d3e97fa079bdee8db1b62dd9985328c77de8658f
SHA25626a3e1ab7bb8e247aa5c111171cd2ef7bc5cef6eac57b8cd1892bb46e3ede61b
SHA5128aad6af134c72f6166bf983b07994831e9b522d98cc3eff0d70c98ce476cb21d2c6e1d3320251bfcf399eb704eaf603c1342135eb1d01a089674f68b696b2218