Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-11-2020 23:07
General
-
Target
9ff2f5482a3aed8291c0808256511cdb788bffcd9300000d3d0240e01918ba27.exe
-
Size
235KB
-
MD5
d7d5c04bd235005cf3431729f0f52416
-
SHA1
08a83329a9d6c8b4fb59e364679e189e3840277a
-
SHA256
9ff2f5482a3aed8291c0808256511cdb788bffcd9300000d3d0240e01918ba27
-
SHA512
354d0255a29fb724fc909cdba32918b3bc27abadf19be26f5e6adeb4b57e04c6058e96287412312ee5e4449d0fdbd45ffb0f1a76179ac14e84e76bd052aa5d66
Score
9/10
Malware Config
Signatures
-
ServiceHost packer 9 IoCs
Detects ServiceHost packer used for .NET malware
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 29 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 104 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 74 IoCs
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\9ff2f5482a3aed8291c0808256511cdb788bffcd9300000d3d0240e01918ba27.exe"C:\Users\Admin\AppData\Local\Temp\9ff2f5482a3aed8291c0808256511cdb788bffcd9300000d3d0240e01918ba27.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 6723⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 7083⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Ywud\zyusc.exe"C:\Users\Admin\AppData\Roaming\Ywud\zyusc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 6644⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 6364⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 7604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 9484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 7724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 7684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 10084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 10404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 11404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 12124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 7844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 11324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 13124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 3723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 8323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 8443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 8483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 9243⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe7033ab8.bat"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 9363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 8243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 2643⤵
- Program crash
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Puriv\orna.henMD5
308e41a8b4ef824e3b9d3279b8bbdaee
SHA143f19c1b88b59aede0c949842ea42eac685320dc
SHA2566e533992484702164e377c32b3a32fe908d8871829b3d2821fbdddc8ad8f4b45
SHA5127ee1c4dbc26cd0540d7342133db7460f482168417ef537f27aaa8d3bb59ed9efc0fc3cd1fc32bd31625ded71882d9054d5c0936683fa4d554b2a62435ec342dc
-
C:\Users\Admin\AppData\Roaming\Ywud\zyusc.exeMD5
9e75d65568a5cf4f22bb0fb0a9bf9332
SHA11388e6792f112e1ab184c69ba3c64e4275621567
SHA25612f51b2cd8a168941a281972cfbab95f8cf0a8d9428b6bea7e8b50cb32197c46
SHA51270e276304c8f70c2f7b39760b94f9392a2a691ad4dad129155617ff02aa93d0e6d1ea94053bd10a881777d81b8bf4dc0192e704729d78ab2412b75fd5492590c
-
C:\Users\Admin\AppData\Roaming\Ywud\zyusc.exeMD5
9e75d65568a5cf4f22bb0fb0a9bf9332
SHA11388e6792f112e1ab184c69ba3c64e4275621567
SHA25612f51b2cd8a168941a281972cfbab95f8cf0a8d9428b6bea7e8b50cb32197c46
SHA51270e276304c8f70c2f7b39760b94f9392a2a691ad4dad129155617ff02aa93d0e6d1ea94053bd10a881777d81b8bf4dc0192e704729d78ab2412b75fd5492590c
-
memory/584-1-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/584-0-0x0000000004690000-0x0000000004691000-memory.dmpFilesize
4KB
-
memory/1056-28-0x0000000000080000-0x00000000000BB000-memory.dmpFilesize
236KB
-
memory/3012-13-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/3012-7-0x00000000043E0000-0x00000000043E1000-memory.dmpFilesize
4KB
-
memory/3292-2-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/3292-3-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/3556-30-0x000000000012EA5B-mapping.dmp
-
memory/3556-29-0x0000000000120000-0x000000000015B000-memory.dmpFilesize
236KB
-
memory/3588-16-0x0000000000000000-mapping.dmp
-
memory/3588-21-0x0000000000000000-mapping.dmp
-
memory/3588-14-0x0000000000000000-mapping.dmp
-
memory/3588-15-0x0000000000000000-mapping.dmp
-
memory/3588-11-0x0000000000000000-mapping.dmp
-
memory/3588-17-0x0000000000000000-mapping.dmp
-
memory/3588-4-0x0000000000000000-mapping.dmp
-
memory/3588-19-0x0000000000000000-mapping.dmp
-
memory/3588-20-0x0000000000000000-mapping.dmp
-
memory/3588-12-0x0000000000000000-mapping.dmp
-
memory/3588-22-0x0000000000000000-mapping.dmp
-
memory/3588-8-0x0000000000000000-mapping.dmp
-
memory/3588-24-0x0000000000000000-mapping.dmp
-
memory/3588-25-0x0000000000000000-mapping.dmp
-
memory/3588-26-0x0000000000000000-mapping.dmp
-
memory/3588-27-0x0000000000000000-mapping.dmp
-
memory/3588-10-0x0000000000000000-mapping.dmp
-
memory/3588-9-0x0000000000000000-mapping.dmp
-
memory/3656-23-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/3656-18-0x0000000004760000-0x0000000004761000-memory.dmpFilesize
4KB