d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc

General

Target

amix
Sample

190902-3ldbs4wjda
SHA256

d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc

Score

N/A

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

Processes:

svchost.exe

at	description	process	target process
17719	PID 2596 created 2428	svchost.exe	amix.exe
19954	PID 2596 created 2428	svchost.exe	amix.exe
20735	PID 2596 created 2428	svchost.exe	amix.exe
21454	PID 2596 created 2428	svchost.exe	amix.exe
22313	PID 2596 created 2428	svchost.exe	amix.exe
23063	PID 2596 created 2428	svchost.exe	amix.exe
36438	PID 2596 created 2428	svchost.exe	amix.exe
37407	PID 2596 created 2428	svchost.exe	amix.exe
38438	PID 2596 created 2428	svchost.exe	amix.exe

Program crash

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

svchost.exeamix.exe

at	description	process	target process
17813	PID 2596 wrote to memory of 3624	svchost.exe	WerFault.exe
19954	PID 2596 wrote to memory of 3924	svchost.exe	WerFault.exe
20735	PID 2596 wrote to memory of 3360	svchost.exe	WerFault.exe
21454	PID 2596 wrote to memory of 4092	svchost.exe	WerFault.exe
22313	PID 2596 wrote to memory of 4076	svchost.exe	WerFault.exe
23063	PID 2596 wrote to memory of 2456	svchost.exe	WerFault.exe
36157	PID 2428 wrote to memory of 3508	amix.exe	icacls.exe
36438	PID 2596 wrote to memory of 3528	svchost.exe	WerFault.exe
37422	PID 2596 wrote to memory of 4040	svchost.exe	WerFault.exe
38235	PID 2428 wrote to memory of 3484	amix.exe	amix.exe
38438	PID 2596 wrote to memory of 2628	svchost.exe	WerFault.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

at	description	process
18688	Token: SeDebugPrivilege	WerFault.exe
20047	Token: SeDebugPrivilege	WerFault.exe
20875	Token: SeDebugPrivilege	WerFault.exe
21563	Token: SeDebugPrivilege	WerFault.exe
22516	Token: SeDebugPrivilege	WerFault.exe
23157	Token: SeDebugPrivilege	WerFault.exe
36547	Token: SeDebugPrivilege	WerFault.exe
37500	Token: SeDebugPrivilege	WerFault.exe
38547	Token: SeDebugPrivilege	WerFault.exe

Suspicious behavior: EnumeratesProcesses

Checks system information in the registry (likely anti-VM) 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

at	description	ioc	process
19672	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
19672	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
20469	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
20469	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
21125	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
21125	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
22000	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
22000	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
22813	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
22813	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
23563	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
23563	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
36922	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
36922	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
37985	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
37985	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
39282	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
39282	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

amix.exe

at	description	ioc	process
36110	Set value (str)	\REGISTRY\USER\S-1-5-21-4159699222-2363879890-816855548-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\502beaa5-5beb-4a8f-807b-63bcec92f084\\amix.exe\" --AutoStart"	amix.exe

C:\Users\Admin\AppData\Local\Temp\amix.exe
C:\Users\Admin\AppData\Local\Temp\amix.exe
1⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
PID:2428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 844
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 876
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 912
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 824
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1120
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1132
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2456

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\502beaa5-5beb-4a8f-807b-63bcec92f084" /deny *S-1-1-0:(OI)(CI)(DE,DC)
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1256
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1512
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4040

C:\Users\Admin\AppData\Local\Temp\amix.exe
"C:\Users\Admin\AppData\Local\Temp\amix.exe" --Admin IsNotAutoStart IsNotTask
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 304
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1060

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads