Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:10
Static task
static1
Behavioral task
behavioral1
Sample
0f3bfa748a771b5e6498d584c15e6995.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0f3bfa748a771b5e6498d584c15e6995.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
0f3bfa748a771b5e6498d584c15e6995.exe
-
Size
168KB
-
MD5
9a386bbb2de614c64284f2bd63570ff0
-
SHA1
e3ed06a92cb6fb11b2351ce924350937159d0d16
-
SHA256
653c78ce95354e4c3e7a24d3d33de2eac505cc2fd943992c859418813469c4e8
-
SHA512
0668662532992a9dce3987ea18dd0745bf18bc09a8d2cdfb1a505db2c3b404f24736d5c52467e8af4c6a7725e19bdd80c934ea14a6d5b5c262cb8371e5e08c02
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winver.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run winver.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\9B582707 = "C:\\Users\\Admin\\AppData\\Roaming\\9B582707\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe 3768 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 3768 winver.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
0f3bfa748a771b5e6498d584c15e6995.exewinver.exedescription pid process target process PID 1144 wrote to memory of 3768 1144 0f3bfa748a771b5e6498d584c15e6995.exe winver.exe PID 1144 wrote to memory of 3768 1144 0f3bfa748a771b5e6498d584c15e6995.exe winver.exe PID 1144 wrote to memory of 3768 1144 0f3bfa748a771b5e6498d584c15e6995.exe winver.exe PID 1144 wrote to memory of 3768 1144 0f3bfa748a771b5e6498d584c15e6995.exe winver.exe PID 3768 wrote to memory of 2624 3768 winver.exe Explorer.EXE PID 3768 wrote to memory of 2836 3768 winver.exe sihost.exe PID 3768 wrote to memory of 2856 3768 winver.exe svchost.exe PID 3768 wrote to memory of 2992 3768 winver.exe taskhostw.exe PID 3768 wrote to memory of 2624 3768 winver.exe Explorer.EXE PID 3768 wrote to memory of 3292 3768 winver.exe ShellExperienceHost.exe PID 3768 wrote to memory of 3308 3768 winver.exe SearchUI.exe PID 3768 wrote to memory of 3584 3768 winver.exe RuntimeBroker.exe PID 3768 wrote to memory of 3836 3768 winver.exe DllHost.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\0f3bfa748a771b5e6498d584c15e6995.exe"C:\Users\Admin\AppData\Local\Temp\0f3bfa748a771b5e6498d584c15e6995.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2624-1-0x0000000000820000-0x0000000000826000-memory.dmpFilesize
24KB
-
memory/2624-5-0x0000000000790000-0x0000000000796000-memory.dmpFilesize
24KB
-
memory/2836-2-0x0000000000B10000-0x0000000000B16000-memory.dmpFilesize
24KB
-
memory/2856-3-0x0000000000990000-0x0000000000996000-memory.dmpFilesize
24KB
-
memory/2992-4-0x0000000000480000-0x0000000000486000-memory.dmpFilesize
24KB
-
memory/3292-6-0x0000000000E80000-0x0000000000E86000-memory.dmpFilesize
24KB
-
memory/3308-7-0x0000000000520000-0x0000000000526000-memory.dmpFilesize
24KB
-
memory/3584-8-0x0000000000CC0000-0x0000000000CC6000-memory.dmpFilesize
24KB
-
memory/3768-0-0x0000000000000000-mapping.dmp
-
memory/3836-9-0x0000000000510000-0x0000000000516000-memory.dmpFilesize
24KB