Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:36
Static task
static1
Behavioral task
behavioral1
Sample
injector.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
injector.exe
Resource
win10v2004-20240226-en
General
-
Target
injector.exe
-
Size
507KB
-
MD5
d2ce96fcc35f20e4707697b98912d1a3
-
SHA1
b8f4d065d36a6c3f96d2f75f673944874f8302b7
-
SHA256
c4ff79e810552e4191894285875fe01c9c7b957c7d76228cdbeeb1b2132338ba
-
SHA512
4cda92e11838c1f6bacf2e0597c321678e00a7171761c2a9f5e25edfc66a7e458533e0ba646715e99962440dd9551f0d4897e1bac0860b09147565b00f036e45
-
SSDEEP
6144:oG0Sx4x1VJswRYC8baxFIl+DJQATVbohlDOJh67V4CWWlI+8NyxNX2NnRI/d:Wi44wRrEl+DJLdo6az1mNRi
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QiyqtujcgQRYZbrVbscVOxO\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\QiyqtujcgQRYZbrVbscVOxO" xcW8Z.exe -
Executes dropped EXE 1 IoCs
pid Process 2572 xcW8Z.exe -
Loads dropped DLL 1 IoCs
pid Process 2380 injector.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\Download\xcW8Z.exe injector.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2572 xcW8Z.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 2572 xcW8Z.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2168 2380 injector.exe 29 PID 2380 wrote to memory of 2168 2380 injector.exe 29 PID 2380 wrote to memory of 2168 2380 injector.exe 29 PID 2380 wrote to memory of 2100 2380 injector.exe 30 PID 2380 wrote to memory of 2100 2380 injector.exe 30 PID 2380 wrote to memory of 2100 2380 injector.exe 30 PID 2380 wrote to memory of 2572 2380 injector.exe 31 PID 2380 wrote to memory of 2572 2380 injector.exe 31 PID 2380 wrote to memory of 2572 2380 injector.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 92⤵PID:2100
-
-
C:\Windows\SoftwareDistribution\Download\xcW8Z.exe"C:\Windows\SoftwareDistribution\Download\xcW8Z.exe"2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD59886a738e05f8a8fe04e9d0c81cc0909
SHA1f659c6a123eb11f6f34f618265dbd54a9aa7f5e3
SHA256abf99bd1d851c4c7015b999e81fb080e7e1147973e6a3a77c8ba7895cc8abbb6
SHA5120d3b9e9a1a38efe1e963b929a33a8a13d4636d8056ab04fce958333db983b9fb401946c9b6990d18e9c2e2d4c2dbd2fb6aae5385e4234a5d86ef8adb98d56a21