Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:32
Static task
static1
Behavioral task
behavioral1
Sample
615c8b816f4ecf1acfd5418a44b19e3f.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
615c8b816f4ecf1acfd5418a44b19e3f.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
615c8b816f4ecf1acfd5418a44b19e3f.exe
-
Size
92KB
-
MD5
76187f5f99dffd2633a9877ed93dfbe6
-
SHA1
8643ef0fd80a232d5b7c91fece9437a8c09af48e
-
SHA256
1cb62ba1c9e13ce33e23dc9a015e37b50ac97359ffe85b500d03d47b417156cc
-
SHA512
a3ae4aad347667aae86780af6ae2fec4c1b9782287da622845857945a8a3552b059c575bf050611ea53890b5fc2b27e8db06f77db93942a2bc2f484d473f411c
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winver.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run winver.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\14D3FEA3 = "C:\\Users\\Admin\\AppData\\Roaming\\14D3FEA3\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe 3288 winver.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
615c8b816f4ecf1acfd5418a44b19e3f.exewinver.exedescription pid process target process PID 980 wrote to memory of 3288 980 615c8b816f4ecf1acfd5418a44b19e3f.exe winver.exe PID 980 wrote to memory of 3288 980 615c8b816f4ecf1acfd5418a44b19e3f.exe winver.exe PID 980 wrote to memory of 3288 980 615c8b816f4ecf1acfd5418a44b19e3f.exe winver.exe PID 980 wrote to memory of 3288 980 615c8b816f4ecf1acfd5418a44b19e3f.exe winver.exe PID 3288 wrote to memory of 2952 3288 winver.exe sihost.exe PID 3288 wrote to memory of 2976 3288 winver.exe svchost.exe PID 3288 wrote to memory of 3060 3288 winver.exe taskhostw.exe PID 3288 wrote to memory of 3128 3288 winver.exe Explorer.EXE PID 3288 wrote to memory of 3376 3288 winver.exe ShellExperienceHost.exe PID 3288 wrote to memory of 3400 3288 winver.exe SearchUI.exe PID 3288 wrote to memory of 3624 3288 winver.exe RuntimeBroker.exe PID 3288 wrote to memory of 3892 3288 winver.exe DllHost.exe PID 3288 wrote to memory of 2496 3288 winver.exe DllHost.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\615c8b816f4ecf1acfd5418a44b19e3f.exe"C:\Users\Admin\AppData\Local\Temp\615c8b816f4ecf1acfd5418a44b19e3f.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2496-9-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB
-
memory/2952-1-0x0000000000D30000-0x0000000000D36000-memory.dmpFilesize
24KB
-
memory/2976-2-0x0000000000D30000-0x0000000000D36000-memory.dmpFilesize
24KB
-
memory/3060-3-0x0000000000FF0000-0x0000000000FF6000-memory.dmpFilesize
24KB
-
memory/3128-4-0x00000000011D0000-0x00000000011D6000-memory.dmpFilesize
24KB
-
memory/3288-0-0x0000000000000000-mapping.dmp
-
memory/3376-5-0x0000000000C00000-0x0000000000C06000-memory.dmpFilesize
24KB
-
memory/3400-6-0x0000000000270000-0x0000000000276000-memory.dmpFilesize
24KB
-
memory/3624-7-0x0000000000300000-0x0000000000306000-memory.dmpFilesize
24KB
-
memory/3892-8-0x00000000005B0000-0x00000000005B6000-memory.dmpFilesize
24KB