Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 08:59
Static task
static1
Behavioral task
behavioral1
Sample
b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe
Resource
win10v2004-20241007-en
General
-
Target
b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe
-
Size
273KB
-
MD5
5523f28f2224dde8d74286b09146bb47
-
SHA1
6bb034d638fcb055bf59afa3e93ac8dce25a3cf5
-
SHA256
b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9
-
SHA512
1d5b06d513befaae50e34493b0daa197fb9e4adb876db99aa1766026dad8e6004b24659de71763be47a31b1049c394b0876a7d3846d7827d2c0584deffdab1d0
-
SSDEEP
6144:+nNuJp9FtYk5k3uZElT63edWRK9Izm/sHgo2TW:+nMp9AYqtoKapHgo2a
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts svchost.exe -
Drops startup file 1 IoCs
Processes:
b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe -
Loads dropped DLL 1 IoCs
Processes:
b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exepid Process 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\FAF27FEB3947465854224\\FAF27FEB3947465854224.exe" b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exedescription pid Process procid_target PID 2096 set thread context of 2452 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
svchost.exepid Process 2452 svchost.exe 2452 svchost.exe 2452 svchost.exe 2452 svchost.exe 2452 svchost.exe 2452 svchost.exe 2452 svchost.exe 2452 svchost.exe 2452 svchost.exe 2452 svchost.exe 2452 svchost.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeSecurityPrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeTakeOwnershipPrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeLoadDriverPrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeSystemProfilePrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeSystemtimePrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeProfSingleProcessPrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeIncBasePriorityPrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeCreatePagefilePrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeBackupPrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeRestorePrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeShutdownPrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeDebugPrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeSystemEnvironmentPrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeRemoteShutdownPrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeUndockPrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: SeManageVolumePrivilege 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: 33 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: 34 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe Token: 35 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exesvchost.exedescription pid Process procid_target PID 2096 wrote to memory of 2452 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe 30 PID 2096 wrote to memory of 2452 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe 30 PID 2096 wrote to memory of 2452 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe 30 PID 2096 wrote to memory of 2452 2096 b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe 30 PID 2452 wrote to memory of 2980 2452 svchost.exe 31 PID 2452 wrote to memory of 2980 2452 svchost.exe 31 PID 2452 wrote to memory of 2980 2452 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe"C:\Users\Admin\AppData\Local\Temp\b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2452 -s 2243⤵PID:2980
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c55e7b590134bae106d2d8170affe162
SHA113b61495d4b1460ecb770e42a923c880a73ad692
SHA2565d4c55ac6c8371c79f94a81c1e53fa50b0fa4231cda0fc9d93892739c723c7e7
SHA51299162c8512811021c31c98cffe306b3badd07e779ac73d6da16e16d7597c1c8112b1a78dc33a27f717b13333bedf6a804a757e5030f653aeea41a338492c9e27
-
Filesize
273KB
MD55523f28f2224dde8d74286b09146bb47
SHA16bb034d638fcb055bf59afa3e93ac8dce25a3cf5
SHA256b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9
SHA5121d5b06d513befaae50e34493b0daa197fb9e4adb876db99aa1766026dad8e6004b24659de71763be47a31b1049c394b0876a7d3846d7827d2c0584deffdab1d0