d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc

General

Target

amix
Sample

190902-3ldbs4wjda
SHA256

d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc

Score

N/A

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

at	description	Process	procid_target
17719	PID 2596 created 2428	svchost.exe	43
19954	PID 2596 created 2428	svchost.exe	43
20735	PID 2596 created 2428	svchost.exe	43
21454	PID 2596 created 2428	svchost.exe	43
22313	PID 2596 created 2428	svchost.exe	43
23063	PID 2596 created 2428	svchost.exe	43
36438	PID 2596 created 2428	svchost.exe	43
37407	PID 2596 created 2428	svchost.exe	43
38438	PID 2596 created 2428	svchost.exe	43

Program crash

Suspicious use of WriteProcessMemory 11 IoCs

at	description	Process	procid_target
17813	PID 2596 wrote to memory of 3624	svchost.exe	45
19954	PID 2596 wrote to memory of 3924	svchost.exe	46
20735	PID 2596 wrote to memory of 3360	svchost.exe	47
21454	PID 2596 wrote to memory of 4092	svchost.exe	48
22313	PID 2596 wrote to memory of 4076	svchost.exe	49
23063	PID 2596 wrote to memory of 2456	svchost.exe	50
36157	PID 2428 wrote to memory of 3508	amix.exe	51
36438	PID 2596 wrote to memory of 3528	svchost.exe	52
37422	PID 2596 wrote to memory of 4040	svchost.exe	53
38235	PID 2428 wrote to memory of 3484	amix.exe	54
38438	PID 2596 wrote to memory of 2628	svchost.exe	55

Suspicious use of AdjustPrivilegeToken 9 IoCs

at	description	Process
18688	Token: SeDebugPrivilege	WerFault.exe
20047	Token: SeDebugPrivilege	WerFault.exe
20875	Token: SeDebugPrivilege	WerFault.exe
21563	Token: SeDebugPrivilege	WerFault.exe
22516	Token: SeDebugPrivilege	WerFault.exe
23157	Token: SeDebugPrivilege	WerFault.exe
36547	Token: SeDebugPrivilege	WerFault.exe
37500	Token: SeDebugPrivilege	WerFault.exe
38547	Token: SeDebugPrivilege	WerFault.exe

Suspicious behavior: EnumeratesProcesses

Checks system information in the registry (likely anti-VM) 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

at	description	ioc	Process
19672	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
19672	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
20469	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
20469	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
21125	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
21125	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
22000	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
22000	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
22813	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
22813	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
23563	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
23563	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
36922	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
36922	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
37985	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
37985	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
39282	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
39282	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

at	description	ioc	Process
36110	Set value (str)	\REGISTRY\USER\S-1-5-21-4159699222-2363879890-816855548-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\502beaa5-5beb-4a8f-807b-63bcec92f084\\amix.exe\" --AutoStart"	amix.exe

C:\Users\Admin\AppData\Local\Temp\amix.exe
C:\Users\Admin\AppData\Local\Temp\amix.exe
1⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
PID:2428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 844
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 876
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 912
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 824
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1120
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1132
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2456

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\502beaa5-5beb-4a8f-807b-63bcec92f084" /deny *S-1-1-0:(OI)(CI)(DE,DC)
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1256
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1512
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4040

C:\Users\Admin\AppData\Local\Temp\amix.exe
"C:\Users\Admin\AppData\Local\Temp\amix.exe" --Admin IsNotAutoStart IsNotTask
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 304
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1060

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads