Static task
static1
Behavioral task
behavioral1
Sample
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe
Resource
win10v2004-20240226-en
General
-
Target
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060
-
Size
959KB
-
MD5
1e9e399b7a31cc85062cb039bae72a44
-
SHA1
3702b81069cbb9251be59f85d25c54b55443ae72
-
SHA256
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060
-
SHA512
edf2c5cc11d564b40850e1741eec8477d90e55304d1bc08646c826f100877ae71057e8fbd4b1df164d67e891c826f30be1127d7d9a8dced09dafad7693031a9a
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdxF:Ujrc2So1Ff+B3k796n
Malware Config
Signatures
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs
Processes:
resource yara_rule sample INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs
Processes:
resource yara_rule sample INDICATOR_SUSPICIOUS_USNDeleteJournal -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
Processes:
resource yara_rule sample INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060
Files
-
b9d3d54532bcc21e9b05754ae0a2f81df5434e4dfd1fcbc840e5466ca38d3060.exe windows:5 windows x86 arch:x86
216df81b1ef7bc2aa8ec52bbeef137c9
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
shlwapi
PathAppendW
activeds
ord9
ord15
kernel32
CreateProcessW
GetSystemTime
lstrlenW
LocalFree
advapi32
CheckTokenMembership
CreateWellKnownSid
ole32
CoCreateInstance
CoSetProxyBlanket
Sections
.text Size: 896KB - Virtual size: 895KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 62KB - Virtual size: 96KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.idata Size: 512B - Virtual size: 470B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ