Analysis
-
max time kernel
132s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 17:47
Static task
static1
Behavioral task
behavioral1
Sample
f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Resource
win10v20201028
General
-
Target
f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
-
Size
1.9MB
-
MD5
449fdd7efd9d93a0ade55e13d5bd93da
-
SHA1
1b1bc5942cdde5880e23e4b01c4f78215fda2656
-
SHA256
f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca
-
SHA512
7c7bcf69669cf9ac4f6228a6de1094bf988fa1ef6e7cbe32f158b6c8aae76ca294c29fabbe29b4b59c937d0d152d70fab807f4d6a77b294937a2c0c1428ce965
Malware Config
Extracted
Protocol: ftp- Host:
31.44.184.108 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
metasploit
windows/download_exec
http://31.44.184.48:80/tv99
- headers User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; InfoPath.2)
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Executes dropped EXE 3 IoCs
Processes:
taskhostw.exetaskhosta.exetaskhosta.exepid process 2840 taskhostw.exe 1648 taskhosta.exe 2260 taskhosta.exe -
Stops running service(s) 3 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
taskhostw.exef0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run taskhostw.exe -
Processes:
f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies WinLogon 2 TTPs 6 IoCs
Processes:
f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
taskhosta.exedescription pid process target process PID 1648 set thread context of 2260 1648 taskhosta.exe taskhosta.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exepid process 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskhostw.exepid process 2840 taskhostw.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.execmd.exetaskhosta.exedescription pid process target process PID 3336 wrote to memory of 740 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe cmd.exe PID 3336 wrote to memory of 740 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe cmd.exe PID 3336 wrote to memory of 740 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe cmd.exe PID 740 wrote to memory of 2748 740 cmd.exe sc.exe PID 740 wrote to memory of 2748 740 cmd.exe sc.exe PID 740 wrote to memory of 2748 740 cmd.exe sc.exe PID 3336 wrote to memory of 2840 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe taskhostw.exe PID 3336 wrote to memory of 2840 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe taskhostw.exe PID 3336 wrote to memory of 2840 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe taskhostw.exe PID 3336 wrote to memory of 1648 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe taskhosta.exe PID 3336 wrote to memory of 1648 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe taskhosta.exe PID 3336 wrote to memory of 1648 3336 f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe taskhosta.exe PID 1648 wrote to memory of 2260 1648 taskhosta.exe taskhosta.exe PID 1648 wrote to memory of 2260 1648 taskhosta.exe taskhosta.exe PID 1648 wrote to memory of 2260 1648 taskhosta.exe taskhosta.exe PID 1648 wrote to memory of 2260 1648 taskhosta.exe taskhosta.exe PID 1648 wrote to memory of 2260 1648 taskhosta.exe taskhosta.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe"C:\Users\Admin\AppData\Local\Temp\f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\install\taskhosta.exeC:\ProgramData\install\taskhosta.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\install\taskhosta.exeC:\ProgramData\install\taskhosta.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\RealtekHD\taskhostw.exeMD5
3d1bdbe506435b6bcef9ccbe7b1e326e
SHA1951978f4a11a5afb826c9be3071e72d27700f597
SHA256a48389633a690d3de789e662a01fb617d794c5e409a893ed4a1e724db25d8ae4
SHA512225dbd30cb628e3e8554689299dae5a4f4de5d86b1577f1eb77ac118a50706e36e47a8cab428e636b7ad60efadddbebe1108aa0ec1e00f5dcce78a77a5a97ce0
-
C:\ProgramData\RealtekHD\taskhostw.exeMD5
3d1bdbe506435b6bcef9ccbe7b1e326e
SHA1951978f4a11a5afb826c9be3071e72d27700f597
SHA256a48389633a690d3de789e662a01fb617d794c5e409a893ed4a1e724db25d8ae4
SHA512225dbd30cb628e3e8554689299dae5a4f4de5d86b1577f1eb77ac118a50706e36e47a8cab428e636b7ad60efadddbebe1108aa0ec1e00f5dcce78a77a5a97ce0
-
C:\ProgramData\install\taskhosta.exeMD5
c4fdfc9a690ed2c0ef5ee37878cf20ca
SHA1510b18f1b41f75fcffc415b70f2db689c43f4930
SHA25645a30caa46cf531121e81ee34bd6df322ae721de8a2b47a0503419faaffcf54b
SHA512a09898761be27abc5f36934a342ba795cf06ef6fb1332b98a65a14fc30c03e098732ac293106e0d2d635220e78f552b5a84517955a195f5d9e63eb543360c62b
-
C:\ProgramData\install\taskhosta.exeMD5
c4fdfc9a690ed2c0ef5ee37878cf20ca
SHA1510b18f1b41f75fcffc415b70f2db689c43f4930
SHA25645a30caa46cf531121e81ee34bd6df322ae721de8a2b47a0503419faaffcf54b
SHA512a09898761be27abc5f36934a342ba795cf06ef6fb1332b98a65a14fc30c03e098732ac293106e0d2d635220e78f552b5a84517955a195f5d9e63eb543360c62b
-
C:\ProgramData\install\taskhosta.exeMD5
c4fdfc9a690ed2c0ef5ee37878cf20ca
SHA1510b18f1b41f75fcffc415b70f2db689c43f4930
SHA25645a30caa46cf531121e81ee34bd6df322ae721de8a2b47a0503419faaffcf54b
SHA512a09898761be27abc5f36934a342ba795cf06ef6fb1332b98a65a14fc30c03e098732ac293106e0d2d635220e78f552b5a84517955a195f5d9e63eb543360c62b
-
memory/740-0-0x0000000000000000-mapping.dmp
-
memory/1648-5-0x0000000000000000-mapping.dmp
-
memory/2260-8-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2260-9-0x00000000004014B0-mapping.dmp
-
memory/2260-11-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2260-12-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2748-1-0x0000000000000000-mapping.dmp
-
memory/2840-2-0x0000000000000000-mapping.dmp