Static task
static1
Behavioral task
behavioral1
Sample
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe
Resource
win10v2004-20240226-en
General
-
Target
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0
-
Size
959KB
-
MD5
01c9561a15dc451562ba536d8239fa41
-
SHA1
9566de40d3435be6fac364e11d50d67d8a3c8dc4
-
SHA256
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0
-
SHA512
42c59fc3052ebcef309bfa2b9824841097cf6e115207da5bd26ccdd273f6382790c83bcd7f666aab045c66fb499d78b377cf4a369b306f1b67e635195f5c4a5b
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdxF:Ujrc2So1Ff+B3k796f
Malware Config
Signatures
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs
Processes:
resource yara_rule sample INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs
Processes:
resource yara_rule sample INDICATOR_SUSPICIOUS_USNDeleteJournal -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
Processes:
resource yara_rule sample INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0
Files
-
5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0.exe windows:5 windows x86 arch:x86
216df81b1ef7bc2aa8ec52bbeef137c9
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
shlwapi
PathAppendW
activeds
ord9
ord15
kernel32
CreateProcessW
GetSystemTime
lstrlenW
LocalFree
advapi32
CheckTokenMembership
CreateWellKnownSid
ole32
CoCreateInstance
CoSetProxyBlanket
Sections
.text Size: 896KB - Virtual size: 895KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 62KB - Virtual size: 96KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.idata Size: 512B - Virtual size: 470B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ