Overview

overview

10

Static

static

1

sidchg64-3.0j.exe

windows7-x64

1

sidchg64-3.0j.exe

windows10-2004-x64

Analysis

  • max time kernel
    60s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2024, 07:50

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    sidchg64-3.0j.exe

  • Size

    1.6MB

  • MD5

    0985a28d3bd60aac4320e4bb8418623b

  • SHA1

    ccf81ecdce7939fd4cc9d7b40877ced3987b95c0

  • SHA256

    d2c3d560a6ad7e714992483ce7044999ed7e56990076a019e530eaa399f5c6cf

  • SHA512

    7d251b6c9353b4b68b08a29d3301fb330127371a633b43e2c345b70f6440fdaa7b7666889f80efca05a8376616b0a7afdac7e4b24bbf582b35b555b0015e05f1

  • SSDEEP

    24576:PiOv0tuHBEwdjEaZJVamphU9hDe/1Cdc0LQgTjCQyQwodrtDTHf66bmIHYV6O:Pi8VxdjEabpGD8bE5yQwodrtDT/lK6O

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 64 IoCs
    evasion
  • Modifies security service 2 TTPs 39 IoCs
    evasion
  • Modifies RDP port number used by Windows 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Maps connected drives based on registry 3 TTPs 7 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Modifies WinLogon 2 TTPs 3 IoCs
    persistence
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 37 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • System policy modification 1 TTPs 5 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\sidchg64-3.0j.exe
    "C:\Users\Admin\AppData\Local\Temp\sidchg64-3.0j.exe"
    1⤵
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:376
  • C:\Windows\Temp\sidchg64_.exe
    "C:\Windows\Temp\sidchg64_.exe" /SIDCHGSERVICE=SIDCHG1710057108 /RDA=1cb35193b4a733e61493c25f "/D=" "/COMPNAME=" /DBG:0
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Executes dropped EXE
    • Maps connected drives based on registry
    • Checks system information in the registry
    • Checks SCSI registry key(s)
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1592
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3976055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1524

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Temp\sidchg64_.exe
          Filesize

          1.6MB

          MD5

          0985a28d3bd60aac4320e4bb8418623b

          SHA1

          ccf81ecdce7939fd4cc9d7b40877ced3987b95c0

          SHA256

          d2c3d560a6ad7e714992483ce7044999ed7e56990076a019e530eaa399f5c6cf

          SHA512

          7d251b6c9353b4b68b08a29d3301fb330127371a633b43e2c345b70f6440fdaa7b7666889f80efca05a8376616b0a7afdac7e4b24bbf582b35b555b0015e05f1

          Download Submit