Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 14:08
Static task
static1
Behavioral task
behavioral1
Sample
c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe
Resource
win10v2004-20240226-en
General
-
Target
c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe
-
Size
328KB
-
MD5
c8ce4c8f369ecd6d09a8a6b6a6ab4036
-
SHA1
d57d709bfac190fe1d9f534276807f9a7fb7e80d
-
SHA256
26d02628a31361a685324ba26749014c99f2895e65bc78b49358482a5fffb4b2
-
SHA512
40c121b4545dfe70461783780934e6e084ced34164db0544db4595a7fa3c16b944c94b0323e787934e85894783698dbf0816e404effb5bdb9e4b108054b1e209
-
SSDEEP
6144:BEc828Ea8XDd6GaYDkakxmZQmCkAyYZ9T:BEc8ARz8YDGxm6D5hD
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\kdkmfiid\\sjcyploq.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sjcyploq.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sjcyploq.exe svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 2696 kowtrkqakarvnhae.exe -
Loads dropped DLL 7 IoCs
pid Process 2352 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 2352 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe -
resource yara_rule behavioral1/files/0x000900000001447e-1.dat upx behavioral1/memory/2192-12-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2192-19-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2192-78-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2192-98-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2696-104-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SjcYploq = "C:\\Users\\Admin\\AppData\\Local\\kdkmfiid\\sjcyploq.exe" svchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\spool\PRTPROCS\x64\259898.tmp c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2548 2352 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe Token: SeDebugPrivilege 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe Token: SeSecurityPrivilege 1704 svchost.exe Token: SeSecurityPrivilege 2124 svchost.exe Token: SeDebugPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeSecurityPrivilege 2696 kowtrkqakarvnhae.exe Token: SeLoadDriverPrivilege 2696 kowtrkqakarvnhae.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe Token: SeBackupPrivilege 2124 svchost.exe Token: SeRestorePrivilege 2124 svchost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2192 2352 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 28 PID 2352 wrote to memory of 2192 2352 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 28 PID 2352 wrote to memory of 2192 2352 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 28 PID 2352 wrote to memory of 2192 2352 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 28 PID 2192 wrote to memory of 1704 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 29 PID 2352 wrote to memory of 2548 2352 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 30 PID 2352 wrote to memory of 2548 2352 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 30 PID 2352 wrote to memory of 2548 2352 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 30 PID 2352 wrote to memory of 2548 2352 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 30 PID 2192 wrote to memory of 1704 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 29 PID 2192 wrote to memory of 1704 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 29 PID 2192 wrote to memory of 1704 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 29 PID 2192 wrote to memory of 1704 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 29 PID 2192 wrote to memory of 1704 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 29 PID 2192 wrote to memory of 1704 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 29 PID 2192 wrote to memory of 1704 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 29 PID 2192 wrote to memory of 1704 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 29 PID 2192 wrote to memory of 1704 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 29 PID 2192 wrote to memory of 2124 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 31 PID 2192 wrote to memory of 2124 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 31 PID 2192 wrote to memory of 2124 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 31 PID 2192 wrote to memory of 2124 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 31 PID 2192 wrote to memory of 2124 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 31 PID 2192 wrote to memory of 2124 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 31 PID 2192 wrote to memory of 2124 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 31 PID 2192 wrote to memory of 2124 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 31 PID 2192 wrote to memory of 2124 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 31 PID 2192 wrote to memory of 2124 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 31 PID 2192 wrote to memory of 2696 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 32 PID 2192 wrote to memory of 2696 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 32 PID 2192 wrote to memory of 2696 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 32 PID 2192 wrote to memory of 2696 2192 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe"C:\Users\Admin\AppData\Local\Temp\c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exeC:\Users\Admin\AppData\Local\Temp\c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\kowtrkqakarvnhae.exe"C:\Users\Admin\AppData\Local\Temp\kowtrkqakarvnhae.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 2682⤵
- Program crash
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD581fb76285084bad225824705f6865a94
SHA1cb36881ed931102f3f86ebf309069f608f17dc7e
SHA2565f1c8013050932e6b70197fbc2216884639ad52d5a9d56a04fffc2408cf43b8b
SHA512acc66f0dad718609d305f83b6e4ef374a4c3409ae0bb81bc4adea129c19b9259c2dc47796853ad906c96aba33de9fa9fa00a8628f2aca0d3e28cec5d767ced64