Static task
static1
Behavioral task
behavioral1
Sample
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe
Resource
win10v2004-20240226-en
General
-
Target
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f
-
Size
959KB
-
MD5
0ee7386109b1f3596ae62735cf53f6b3
-
SHA1
0a67f0154a003fd06597a28dd2fd3e2f63b333b7
-
SHA256
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f
-
SHA512
dbc5f19de20129121c3c8ba6d3230198272a150023a7ec896bec14c2d33c6ed49cb6fc5dbb19250674e763a9e3f2f9dad4badffd9fe712a97b1c36c0d1291a73
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdtF:Ujrc2So1Ff+B3k796L
Malware Config
Signatures
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs
Processes:
resource yara_rule sample INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs
Processes:
resource yara_rule sample INDICATOR_SUSPICIOUS_USNDeleteJournal -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
Processes:
resource yara_rule sample INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f
Files
-
54b45f35926b12f7853e4854ae1d0a233ba1817451450d9b9fdf4e9b1412024f.exe windows:5 windows x86 arch:x86
216df81b1ef7bc2aa8ec52bbeef137c9
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
shlwapi
PathAppendW
activeds
ord9
ord15
kernel32
CreateProcessW
GetSystemTime
lstrlenW
LocalFree
advapi32
CheckTokenMembership
CreateWellKnownSid
ole32
CoCreateInstance
CoSetProxyBlanket
Sections
.text Size: 896KB - Virtual size: 895KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 62KB - Virtual size: 96KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.idata Size: 512B - Virtual size: 470B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ