Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 07:03
Behavioral task
behavioral1
Sample
MIS.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
General
-
Target
MIS.exe
-
Size
202KB
-
MD5
77a6bdfb5bbcb7946fe9b601afcc39e7
-
SHA1
f1d08b43eb1936922f4999b789f37b7124ec630c
-
SHA256
64ce422b18dfaf9ca531f509ed4d05a47433e9ff468de8cfda06fb3bc85f80a4
-
SHA512
ac02ce92fb3c820b6b1e58be26762a6ba976a6a69523898df942a794cb4abb1dbc667454bc0aea7e9c597ee1ce05e4e6fb6bdb9a6b226a512c0d92f0fa59b9ba
-
SSDEEP
3072:QzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIrccsD6RA5E3bKKiCf3e0kYrOd:QLV6Bta6dtJmakIM5Bcs8A5ELiUfoB
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MIS.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Manager = "C:\\Program Files (x86)\\PCI Manager\\pcimgr.exe" MIS.exe -
Processes:
MIS.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MIS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MIS.exedescription ioc Process File created C:\Program Files (x86)\PCI Manager\pcimgr.exe MIS.exe File opened for modification C:\Program Files (x86)\PCI Manager\pcimgr.exe MIS.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MIS.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MIS.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
MIS.exepid Process 1380 MIS.exe 1380 MIS.exe 1380 MIS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MIS.exepid Process 1380 MIS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MIS.exedescription pid Process Token: SeDebugPrivilege 1380 MIS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MIS.exe"C:\Users\Admin\AppData\Local\Temp\MIS.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1380