Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 04:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
Behavioral task
behavioral2
Sample
f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe
-
Size
326KB
-
MD5
67272bdf9b8d38ee27ede57bef257400
-
SHA1
5547a87222800f91b8d1ca6d88f34abb966099d8
-
SHA256
f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8
-
SHA512
041ecafa85349710230753ec135b4e30d3ee7feba2b2e686c4ef101846f0ecf59799b94ccd075be0a1c866404d0f527e97fa1e42da162f880cba648500efd1fa
-
SSDEEP
6144:BBPQHfeHLJDRO6t9RdRzySfBE8Vg9PxB7OniGWuO37yDe4/z:BcQD00Hya0PT7yijF7mBL
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\ntos.exe," f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\pathx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe" f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ntos.exe f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe File created C:\Windows\SysWOW64\ntos.exe f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1708 f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe"C:\Users\Admin\AppData\Local\Temp\f00d363d292d0e9500e055df0d1e95ecab1191070010a34b5a02eb3f5cf6f4b8N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708