Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 01:21
Behavioral task
behavioral1
Sample
a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe
Resource
win10v2004-20240426-en
General
-
Target
a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe
-
Size
2.8MB
-
MD5
973e36dd6378df46463c4e34fe906c43
-
SHA1
9ae615e31756781a00a01c05f7d3f07d9450bb6f
-
SHA256
a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08
-
SHA512
f3fa89b7e81acd3cf5ad20cbcc502f371c0f012aeb224d8a44c48f06d32bb94c5abb374c7325f725a40c77f6b35418896317903d31a235491a12b6a0bdbd069c
-
SSDEEP
49152:pMbF/erpC5YF2AFldkUxathDtiAIJG9cEVJRzmygWdQ+sqaxX+PK1atmcURRzikg:iBcVXkjgAImVrzTgpqQ+PhDUyYdRUeU
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 3 IoCs
resource yara_rule behavioral1/memory/2368-0-0x0000000000400000-0x0000000000854000-memory.dmp UPX behavioral1/memory/2368-32-0x0000000000400000-0x0000000000854000-memory.dmp UPX behavioral1/memory/2368-35-0x0000000000400000-0x0000000000854000-memory.dmp UPX -
Loads dropped DLL 1 IoCs
pid Process 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe -
resource yara_rule behavioral1/memory/2368-0-0x0000000000400000-0x0000000000854000-memory.dmp upx behavioral1/memory/2368-32-0x0000000000400000-0x0000000000854000-memory.dmp upx behavioral1/memory/2368-35-0x0000000000400000-0x0000000000854000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: 33 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe Token: SeIncBasePriorityPrivilege 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2368 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe"C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5e9ac480b94efda969c718471736b2709
SHA12ef07c2d084cc5ce3c9cd786e3edd1edfbbba6a7
SHA256faf91da49435b41dba357e90f991543d6845ad56afa150a233386ac08c07b37a
SHA5129c3c3e04604e7cb0220cbff931876e8321cc397009f6d7d3a89376ac9af4914a5bd7c92738eb7a26feca2c6a25eb2c60b62c503146ce5aadab0f4158e3ae32be