Task
task1
Resource
win7
0 signatures
Task
task2
Resource
win10
0 signatures
General
-
Target
amix
-
Sample
190902-44h44rg53x
-
SHA256
d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc
Score
N/A
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
Processes:
svchost.exeat description process target process 19438 PID 1940 created 944 svchost.exe amix.exe 21813 PID 1940 created 944 svchost.exe amix.exe 22422 PID 1940 created 944 svchost.exe amix.exe 23016 PID 1940 created 944 svchost.exe amix.exe 23750 PID 1940 created 944 svchost.exe amix.exe 24391 PID 1940 created 944 svchost.exe amix.exe 25078 PID 1940 created 944 svchost.exe amix.exe 38235 PID 1940 created 944 svchost.exe amix.exe 39453 PID 1940 created 944 svchost.exe amix.exe 40516 PID 1940 created 944 svchost.exe amix.exe -
Program crash
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
svchost.exeamix.exeat description process target process 19657 PID 1940 wrote to memory of 3320 svchost.exe WerFault.exe 21813 PID 1940 wrote to memory of 3188 svchost.exe WerFault.exe 22422 PID 1940 wrote to memory of 2888 svchost.exe WerFault.exe 23016 PID 1940 wrote to memory of 3820 svchost.exe WerFault.exe 23750 PID 1940 wrote to memory of 3844 svchost.exe WerFault.exe 24391 PID 1940 wrote to memory of 3396 svchost.exe WerFault.exe 25078 PID 1940 wrote to memory of 3892 svchost.exe WerFault.exe 37844 PID 944 wrote to memory of 3840 amix.exe icacls.exe 38235 PID 1940 wrote to memory of 3900 svchost.exe WerFault.exe 39453 PID 1940 wrote to memory of 3752 svchost.exe WerFault.exe 40344 PID 944 wrote to memory of 2876 amix.exe amix.exe 40516 PID 1940 wrote to memory of 2704 svchost.exe WerFault.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeat description process 20625 Token: SeDebugPrivilege WerFault.exe 21875 Token: SeDebugPrivilege WerFault.exe 22500 Token: SeDebugPrivilege WerFault.exe 23188 Token: SeDebugPrivilege WerFault.exe 23860 Token: SeDebugPrivilege WerFault.exe 24485 Token: SeDebugPrivilege WerFault.exe 25172 Token: SeDebugPrivilege WerFault.exe 38328 Token: SeDebugPrivilege WerFault.exe 39641 Token: SeDebugPrivilege WerFault.exe 40610 Token: SeDebugPrivilege WerFault.exe -
Suspicious behavior: EnumeratesProcesses
-
Checks system information in the registry (likely anti-VM) 2 TTPs 20 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeat description ioc process 21500 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer WerFault.exe 21500 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName WerFault.exe 22141 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer WerFault.exe 22141 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName WerFault.exe 22797 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer WerFault.exe 22797 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName WerFault.exe 23547 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer WerFault.exe 23547 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName WerFault.exe 24110 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer WerFault.exe 24110 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName WerFault.exe 24844 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer WerFault.exe 24844 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName WerFault.exe 25500 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer WerFault.exe 25500 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName WerFault.exe 38750 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer WerFault.exe 38750 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName WerFault.exe 39938 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer WerFault.exe 39938 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName WerFault.exe 41813 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer WerFault.exe 41813 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName WerFault.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
amix.exeat description ioc process 37828 Set value (str) \REGISTRY\USER\S-1-5-21-3036946624-713005404-4182576195-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\deb19f43-f5b1-4b9f-a049-ccf279a93163\\amix.exe\" --AutoStart" amix.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\amix.exeC:\Users\Admin\AppData\Local\Temp\amix.exe1⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
PID:944
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 8041⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 8761⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 9361⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 8801⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 10161⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 11241⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 8801⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3892
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\deb19f43-f5b1-4b9f-a049-ccf279a93163" /deny *S-1-1-0:(OI)(CI)(DE,DC)1⤵PID:3840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 12761⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 15281⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3752
-
C:\Users\Admin\AppData\Local\Temp\amix.exe"C:\Users\Admin\AppData\Local\Temp\amix.exe" --Admin IsNotAutoStart IsNotTask1⤵PID:2876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 2401⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2704
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1060