Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 01:46
Behavioral task
behavioral1
Sample
MIS.exe
Resource
win7-20240708-en
General
-
Target
MIS.exe
-
Size
202KB
-
MD5
77a6bdfb5bbcb7946fe9b601afcc39e7
-
SHA1
f1d08b43eb1936922f4999b789f37b7124ec630c
-
SHA256
64ce422b18dfaf9ca531f509ed4d05a47433e9ff468de8cfda06fb3bc85f80a4
-
SHA512
ac02ce92fb3c820b6b1e58be26762a6ba976a6a69523898df942a794cb4abb1dbc667454bc0aea7e9c597ee1ce05e4e6fb6bdb9a6b226a512c0d92f0fa59b9ba
-
SSDEEP
3072:QzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIrccsD6RA5E3bKKiCf3e0kYrOd:QLV6Bta6dtJmakIM5Bcs8A5ELiUfoB
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 2756 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MIS.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe" MIS.exe -
Processes:
MIS.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MIS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MIS.exedescription ioc Process File opened for modification C:\Program Files (x86)\UDP Service\udpsv.exe MIS.exe File created C:\Program Files (x86)\UDP Service\udpsv.exe MIS.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MIS.exeschtasks.exeschtasks.execmd.exetaskkill.exePING.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MIS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEcmd.exepid Process 1636 PING.EXE 2756 cmd.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2600 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
MIS.exepid Process 2524 MIS.exe 2524 MIS.exe 2524 MIS.exe 2524 MIS.exe 2524 MIS.exe 2524 MIS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MIS.exepid Process 2524 MIS.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
MIS.exetaskkill.exedescription pid Process Token: SeDebugPrivilege 2524 MIS.exe Token: SeDebugPrivilege 2524 MIS.exe Token: SeDebugPrivilege 2600 taskkill.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
MIS.execmd.exedescription pid Process procid_target PID 2524 wrote to memory of 2828 2524 MIS.exe 31 PID 2524 wrote to memory of 2828 2524 MIS.exe 31 PID 2524 wrote to memory of 2828 2524 MIS.exe 31 PID 2524 wrote to memory of 2828 2524 MIS.exe 31 PID 2524 wrote to memory of 2844 2524 MIS.exe 33 PID 2524 wrote to memory of 2844 2524 MIS.exe 33 PID 2524 wrote to memory of 2844 2524 MIS.exe 33 PID 2524 wrote to memory of 2844 2524 MIS.exe 33 PID 2524 wrote to memory of 2756 2524 MIS.exe 35 PID 2524 wrote to memory of 2756 2524 MIS.exe 35 PID 2524 wrote to memory of 2756 2524 MIS.exe 35 PID 2524 wrote to memory of 2756 2524 MIS.exe 35 PID 2756 wrote to memory of 2600 2756 cmd.exe 37 PID 2756 wrote to memory of 2600 2756 cmd.exe 37 PID 2756 wrote to memory of 2600 2756 cmd.exe 37 PID 2756 wrote to memory of 2600 2756 cmd.exe 37 PID 2756 wrote to memory of 1636 2756 cmd.exe 39 PID 2756 wrote to memory of 1636 2756 cmd.exe 39 PID 2756 wrote to memory of 1636 2756 cmd.exe 39 PID 2756 wrote to memory of 1636 2756 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\MIS.exe"C:\Users\Admin\AppData\Local\Temp\MIS.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /f /tn "UDP Service"2⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /f /tn "UDP Service Task"2⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /f /im "MIS.exe" & ping -n 1 -w 3000 1.1.1.1 & type nul > "C:\Users\Admin\AppData\Local\Temp\MIS.exe" & del /f /q "C:\Users\Admin\AppData\Local\Temp\MIS.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "MIS.exe"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 -w 3000 1.1.1.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1636
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1