d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc

General

Target

amix
Sample

190902-nwtlcy8qcx
SHA256

d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc

Score

N/A

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs

at	description	Process	procid_target
17484	PID 4020 created 3968	svchost.exe	42
19859	PID 4020 created 3968	svchost.exe	42
20781	PID 4020 created 3968	svchost.exe	42
21859	PID 4020 created 3968	svchost.exe	42
22656	PID 4020 created 3968	svchost.exe	42
23234	PID 4020 created 3968	svchost.exe	42
36843	PID 4020 created 3968	svchost.exe	42
38843	PID 4020 created 3968	svchost.exe	42
40343	PID 4020 created 3968	svchost.exe	42
60125	PID 4020 created 3688	svchost.exe	53

Program crash

Suspicious use of WriteProcessMemory 12 IoCs

at	description	Process	procid_target
17609	PID 4020 wrote to memory of 4052	svchost.exe	44
19859	PID 4020 wrote to memory of 2216	svchost.exe	45
20781	PID 4020 wrote to memory of 2132	svchost.exe	46
21859	PID 4020 wrote to memory of 2232	svchost.exe	47
22656	PID 4020 wrote to memory of 3276	svchost.exe	48
23234	PID 4020 wrote to memory of 2992	svchost.exe	49
36359	PID 3968 wrote to memory of 2988	amix.exe	50
36843	PID 4020 wrote to memory of 2372	svchost.exe	51
38843	PID 4020 wrote to memory of 2252	svchost.exe	52
39843	PID 3968 wrote to memory of 3688	amix.exe	53
40343	PID 4020 wrote to memory of 3644	svchost.exe	54
60125	PID 4020 wrote to memory of 3060	svchost.exe	56

Suspicious use of AdjustPrivilegeToken 10 IoCs

at	description	Process
18578	Token: SeDebugPrivilege	WerFault.exe
20140	Token: SeDebugPrivilege	WerFault.exe
21015	Token: SeDebugPrivilege	WerFault.exe
21984	Token: SeDebugPrivilege	WerFault.exe
22750	Token: SeDebugPrivilege	WerFault.exe
23406	Token: SeDebugPrivilege	WerFault.exe
36984	Token: SeDebugPrivilege	WerFault.exe
38968	Token: SeDebugPrivilege	WerFault.exe
40625	Token: SeDebugPrivilege	WerFault.exe
60328	Token: SeDebugPrivilege	WerFault.exe

Suspicious behavior: EnumeratesProcesses

Checks system information in the registry (likely anti-VM) 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

at	description	ioc	Process
19515	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
19515	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
20531	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
20531	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
21578	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
21578	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
22406	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
22406	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
23046	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
23046	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
23734	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
23734	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
37593	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
37593	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
39531	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
39531	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe
42140	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WerFault.exe
42140	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WerFault.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

at	description	ioc	Process
36328	Set value (str)	\REGISTRY\USER\S-1-5-21-1147720014-1764331075-2940032047-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\93e992c4-caf5-4785-a3c4-1c483667064e\\amix.exe\" --AutoStart"	amix.exe

C:\Users\Admin\AppData\Local\Temp\amix.exe
C:\Users\Admin\AppData\Local\Temp\amix.exe
1⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
PID:3968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 864
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 876
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 916
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 972
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1120
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1132
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2992

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\93e992c4-caf5-4785-a3c4-1c483667064e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1260
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1508
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2252

C:\Users\Admin\AppData\Local\Temp\amix.exe
"C:\Users\Admin\AppData\Local\Temp\amix.exe" --Admin IsNotAutoStart IsNotTask
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 300
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 816
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1060

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads