Analysis
-
max time kernel
299s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 23:02
Behavioral task
behavioral1
Sample
B9HxGSsgMc8Ju.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
300 seconds
Behavioral task
behavioral2
Sample
B9HxGSsgMc8Ju.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
300 seconds
General
-
Target
B9HxGSsgMc8Ju.exe
-
Size
3.4MB
-
MD5
a198d2e7ddac7c3d381da9b2e5446142
-
SHA1
61aff012de5ac9eb5247f182320b1df434a22c93
-
SHA256
f432910b309b296e4cf2e662092657060f0e24222ccf1239a67c69b9db8daf68
-
SHA512
6e661c2c46ea0f57dc0dafe0e01bc32258d740d9938bec27b7558ae020ff51cdfd41351df52b06da86f25dc59c318fa37660b7da51ad34dd69b0f8bcbcb6b44a
-
SSDEEP
98304:ZBvIB2CVEqzsJGwUv6Fvx6KW2wBBJIdnjjgI8D:ZekJGwUi1WMjjW
Score
8/10
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wfRKvEqgUPjEiRRelCaDA\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\GiOiYOwMfsRnCucoBqyqoOIieqBbqb" B9HxGSsgMc8Ju.exe -
Loads dropped DLL 1 IoCs
pid Process 3400 B9HxGSsgMc8Ju.exe -
resource yara_rule behavioral2/memory/3400-2-0x0000000000400000-0x0000000000B45000-memory.dmp vmprotect behavioral2/memory/3400-11-0x0000000000400000-0x0000000000B45000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe 3400 B9HxGSsgMc8Ju.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3400 B9HxGSsgMc8Ju.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3400 B9HxGSsgMc8Ju.exe Token: SeLoadDriverPrivilege 3400 B9HxGSsgMc8Ju.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B9HxGSsgMc8Ju.exe"C:\Users\Admin\AppData\Local\Temp\B9HxGSsgMc8Ju.exe"1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3400