Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 07:40
Behavioral task
behavioral1
Sample
W4.7.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
W4.7.exe
Resource
win10v2004-20241007-en
General
-
Target
W4.7.exe
-
Size
48KB
-
MD5
140fed31d72907557abf8cf78fc5ea0c
-
SHA1
2a8f6cab09d472253d857fed3b3fc0f22a0045da
-
SHA256
f1ba1c4001946a9008940deca301c236a8114457dd06e466274503ed324eb3f4
-
SHA512
f16bbf6c5b8813b0e8e605c7aa42979ca23e34bc3fcccbaabab9e2fcc210667d4f8baffada74446c6047661973a67d176820890de72a3066f1692361ecacef14
-
SSDEEP
1536:6625Dpcpnwwb6Xmg/lS/9UbzR4jDUsTl7Lfnouy8:664DCzUdMUbzR4n3Tl7Tout
Malware Config
Signatures
-
Processes:
ssrwng.exeW4.7.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ssrwng.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" W4.7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" W4.7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ssrwng.exe -
Processes:
ssrwng.exeW4.7.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" ssrwng.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" W4.7.exe -
Executes dropped EXE 1 IoCs
Processes:
ssrwng.exepid Process 3860 ssrwng.exe -
Processes:
ssrwng.exeW4.7.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" ssrwng.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" W4.7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
W4.7.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ssrwng.exe = "C:\\Windows\\WindowsUpdata\\ssrwng.exe" W4.7.exe -
Processes:
W4.7.exessrwng.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" W4.7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ssrwng.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Processes:
resource yara_rule behavioral2/memory/1052-0-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/files/0x0008000000023c9e-4.dat upx behavioral2/memory/3860-6-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/1052-7-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/3860-8-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/1052-13-0x0000000000400000-0x0000000000425000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
Processes:
W4.7.exessrwng.exedescription ioc Process File created C:\Windows\WindowsUpdata\.temp.fortest W4.7.exe File created C:\Windows\WindowsUpdata\ssrwng.exe W4.7.exe File opened for modification C:\Windows\WindowsUpdata\ssrwng.exe W4.7.exe File created C:\Windows\WindowsUpdata\.temp.fortest ssrwng.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
W4.7.exessrwng.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language W4.7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ssrwng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
W4.7.exessrwng.exedescription pid Process Token: SeBackupPrivilege 1052 W4.7.exe Token: SeBackupPrivilege 3860 ssrwng.exe Token: SeIncBasePriorityPrivilege 1052 W4.7.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
W4.7.exedescription pid Process procid_target PID 1052 wrote to memory of 3860 1052 W4.7.exe 83 PID 1052 wrote to memory of 3860 1052 W4.7.exe 83 PID 1052 wrote to memory of 3860 1052 W4.7.exe 83 PID 1052 wrote to memory of 4264 1052 W4.7.exe 99 PID 1052 wrote to memory of 4264 1052 W4.7.exe 99 PID 1052 wrote to memory of 4264 1052 W4.7.exe 99 -
System policy modification 1 TTPs 4 IoCs
Processes:
ssrwng.exeW4.7.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ssrwng.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ssrwng.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" W4.7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" W4.7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\W4.7.exe"C:\Users\Admin\AppData\Local\Temp\W4.7.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1052 -
C:\Windows\WindowsUpdata\ssrwng.exeC:\Windows\WindowsUpdata\ssrwng.exe2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3860
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\W47~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:4264
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Indicator Removal
1File Deletion
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47.0MB
MD5cf52d13101b4307ce01dc7eb78f002b1
SHA1e3dc4ad5b23d8ac1d2fd6b88fb6e9f43e3b366b6
SHA2567ea9d785c7c79485ffcf4adcd3059eb9133e0e791d45513505eff7d7dec71810
SHA51224b5b4409cd7739f68a906db0bd71186297c685210c41cbe3bc6f4a8ec87f302e6a3be9f0cb1216c15f149221a7ecaddb3acc443a83af109d811de9c8f9c1186