Analysis
-
max time kernel
147s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 21:35
General
-
Target
acfe5824e57eb300d1328c68e7ba188dba19666ec1e6bfa77fff6ce2420ce99a.exe
-
Size
284KB
-
MD5
40c157e8302e1cf6af387b5f88a89ea3
-
SHA1
22bf5f8acc26244c374835b8bb53d9de4becebbd
-
SHA256
acfe5824e57eb300d1328c68e7ba188dba19666ec1e6bfa77fff6ce2420ce99a
-
SHA512
490e3449868c2db741360b036b0ee8621668c5fae75b972ae411713ec612fc1ceaf83a8526924ab5715a525e9d5ff5a180e290ceb383eadf7466441a2bc97abf
Malware Config
Signatures
-
ServiceHost packer 1 IoCs
Detects ServiceHost packer used for .NET malware
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 801 IoCs
-
Suspicious use of WriteProcessMemory 418 IoCs
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\acfe5824e57eb300d1328c68e7ba188dba19666ec1e6bfa77fff6ce2420ce99a.exe"C:\Users\Admin\AppData\Local\Temp\acfe5824e57eb300d1328c68e7ba188dba19666ec1e6bfa77fff6ce2420ce99a.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Syimey\syime.exeC:\Users\Admin\AppData\Roaming\Microsoft\Syimey\syime.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\\System32\\autoconv.exe" > "C:\Users\Admin\AppData\Local\Temp\acfe5824e57eb300d1328c68e7ba188dba19666ec1e6bfa77fff6ce2420ce99a.exe" & del /F /Q "C:\Users\Admin\AppData\Local\Temp\acfe5824e57eb300d1328c68e7ba3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Syimey\syim.dllMD5
7ceb99928d56047ae689f13e68ef56e7
SHA13063b51dc1b09ffa870afaa32943ae7b290d6df8
SHA2567e7c0c1aeb7ca21dc57e92a4bd495a2934befe354ec4ac89ece5429160cd70b0
SHA5122ff135d26aa31d94fd209f1f9030030e74f66762820ad5db58f41fe691975bfc049901abd7c68540f1e37e8597cf1642e675e65dd511b29878527aa5baa9b689
-
C:\Users\Admin\AppData\Roaming\Microsoft\Syimey\syime.exeMD5
40c157e8302e1cf6af387b5f88a89ea3
SHA122bf5f8acc26244c374835b8bb53d9de4becebbd
SHA256acfe5824e57eb300d1328c68e7ba188dba19666ec1e6bfa77fff6ce2420ce99a
SHA512490e3449868c2db741360b036b0ee8621668c5fae75b972ae411713ec612fc1ceaf83a8526924ab5715a525e9d5ff5a180e290ceb383eadf7466441a2bc97abf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Syimey\syime.exeMD5
40c157e8302e1cf6af387b5f88a89ea3
SHA122bf5f8acc26244c374835b8bb53d9de4becebbd
SHA256acfe5824e57eb300d1328c68e7ba188dba19666ec1e6bfa77fff6ce2420ce99a
SHA512490e3449868c2db741360b036b0ee8621668c5fae75b972ae411713ec612fc1ceaf83a8526924ab5715a525e9d5ff5a180e290ceb383eadf7466441a2bc97abf
-
memory/184-3-0x0000000000000000-mapping.dmp
-
memory/184-52-0x0000000000000000-mapping.dmp
-
memory/184-51-0x0000000002F70000-0x0000000002F71000-memory.dmpFilesize
4KB
-
memory/1568-181-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-485-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-8-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/1568-14-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/1568-21-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/1568-6-0x0000000000000000-mapping.dmp
-
memory/1568-48-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-47-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-807-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-765-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-53-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-92-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-120-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-177-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-727-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-219-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-265-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-303-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-345-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-349-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-350-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-387-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-429-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-471-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-475-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-7-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/1568-555-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-597-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-639-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-681-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-685-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-723-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/1568-724-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/3724-4-0x0000000000000000-mapping.dmp
-
memory/3988-0-0x0000000000000000-mapping.dmp
-
memory/3988-5-0x00000000020B0000-0x00000000020E5000-memory.dmpFilesize
212KB