Analysis
-
max time kernel
130s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-11-2020 05:00
Static task
static1
Behavioral task
behavioral1
Sample
TaskMachineNet.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
TaskMachineNet.exe
Resource
win10v20201028
General
-
Target
TaskMachineNet.exe
-
Size
4.6MB
-
MD5
0f20f935559294d2088cfab26843e408
-
SHA1
85ac819478d1965c134041dfbd4973c0c2335d09
-
SHA256
5784eef61ea7f9ef95d9559eb8b55b5edf0a362413b4fa9e391de62a9ee5c278
-
SHA512
bc2a9ae95bfe7e8427dc0961a0d892de8bec64cece3470e7030c4a291d503f189d25e04dd14ca70df00c79ae7356832447c61e1e1a53f248e583b2705f0cbc0a
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
TaskMachineNet.tmpwinconSeMg.exewinconSe.exepid process 3540 TaskMachineNet.tmp 184 winconSeMg.exe 3272 winconSe.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSe.exe upx C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSe.exe upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winconSeMg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winconSeMg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinServiceSup = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinServiceSup\\winconSeMg.exe\" mg" winconSeMg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Modifies registry class 2 IoCs
Processes:
winconSe.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance winconSe.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance winconSe.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
TaskMachineNet.tmppid process 3540 TaskMachineNet.tmp 3540 TaskMachineNet.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
TaskMachineNet.tmppid process 3540 TaskMachineNet.tmp -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
winconSeMg.exewinconSe.exepid process 184 winconSeMg.exe 3272 winconSe.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
TaskMachineNet.exeTaskMachineNet.tmpwinconSeMg.exedescription pid process target process PID 2484 wrote to memory of 3540 2484 TaskMachineNet.exe TaskMachineNet.tmp PID 2484 wrote to memory of 3540 2484 TaskMachineNet.exe TaskMachineNet.tmp PID 2484 wrote to memory of 3540 2484 TaskMachineNet.exe TaskMachineNet.tmp PID 3540 wrote to memory of 184 3540 TaskMachineNet.tmp winconSeMg.exe PID 3540 wrote to memory of 184 3540 TaskMachineNet.tmp winconSeMg.exe PID 3540 wrote to memory of 184 3540 TaskMachineNet.tmp winconSeMg.exe PID 3540 wrote to memory of 2896 3540 TaskMachineNet.tmp cmd.exe PID 3540 wrote to memory of 2896 3540 TaskMachineNet.tmp cmd.exe PID 3540 wrote to memory of 2896 3540 TaskMachineNet.tmp cmd.exe PID 184 wrote to memory of 3272 184 winconSeMg.exe winconSe.exe PID 184 wrote to memory of 3272 184 winconSeMg.exe winconSe.exe PID 184 wrote to memory of 3272 184 winconSeMg.exe winconSe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TaskMachineNet.exe"C:\Users\Admin\AppData\Local\Temp\TaskMachineNet.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-GRBBG.tmp\TaskMachineNet.tmp"C:\Users\Admin\AppData\Local\Temp\is-GRBBG.tmp\TaskMachineNet.tmp" /SL5="$2011C,4083020,780288,C:\Users\Admin\AppData\Local\Temp\TaskMachineNet.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSeMg.exe"C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSeMg.exe" install3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSe.exe"C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSe.exe"4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat""3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SelfDelete.batMD5
5c1b6223dfd392ba6ff136c291491dfb
SHA15d13bcda332b97ca28d67bddf651b606ef642eec
SHA2569305e990af2b887afa220d3427929a0dce88b69c7aa265f6e6d327af2a90087a
SHA512d51daeb4f9b02e7b4ced08537b0c49c7e12fc616e07d394b18ab5b875528fe6050b547b0a00d5108a9ec123d070f953d1a1a0de430ba11881cfa3d646d932e7b
-
C:\Users\Admin\AppData\Local\Temp\is-GRBBG.tmp\TaskMachineNet.tmpMD5
650e4a62107fb4b96626daa3b7b1ff33
SHA1eec6d946f9c4b6d3ae2670b49d50aa209898da44
SHA256ab5819e9008109fca8ca5122c62f6b77c86b494903de6f768e84c0b9e3a13669
SHA51249f89aa91a058d4cc3013d256387135ef26055b6163c7349d9e665cd3869fe5a8ca62720481f81db721d13ce6af1c1991df1be55531ef317d6bba8434209ff90
-
C:\Users\Admin\AppData\Local\Temp\is-GRBBG.tmp\TaskMachineNet.tmpMD5
650e4a62107fb4b96626daa3b7b1ff33
SHA1eec6d946f9c4b6d3ae2670b49d50aa209898da44
SHA256ab5819e9008109fca8ca5122c62f6b77c86b494903de6f768e84c0b9e3a13669
SHA51249f89aa91a058d4cc3013d256387135ef26055b6163c7349d9e665cd3869fe5a8ca62720481f81db721d13ce6af1c1991df1be55531ef317d6bba8434209ff90
-
C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSe.exeMD5
3f12ea2db4cd4f5845fd4a365e1fda55
SHA1cb01ca598505d465ee5f72544467fc18a08e4a50
SHA2565b99fd8eb7cae1074be00f6d03620eaeeea071a6faa51bfbf76dc2e5ab7216ab
SHA51203415d947ceffbedcbd7f996e32d0b03e771e36f55ff1e262b74ee8a7dd3f2e6596997892f53476b7f17fe07da967252a39563652b4cf0d94835416eca3a9588
-
C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSe.exeMD5
3f12ea2db4cd4f5845fd4a365e1fda55
SHA1cb01ca598505d465ee5f72544467fc18a08e4a50
SHA2565b99fd8eb7cae1074be00f6d03620eaeeea071a6faa51bfbf76dc2e5ab7216ab
SHA51203415d947ceffbedcbd7f996e32d0b03e771e36f55ff1e262b74ee8a7dd3f2e6596997892f53476b7f17fe07da967252a39563652b4cf0d94835416eca3a9588
-
C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSeMg.exeMD5
f835b41c6c9040ff04d9987c09116327
SHA1eafb2f7e7bd55580c561ef22ae2ed9672ed9c3a7
SHA2568deb8f1bd3d1cbe822956492234313cbd7505aa4e865b3302388ecf53bfaed7e
SHA512f9ff76acd7293f1916074f4dd656ae7f3727799da0135d5e756c18df63cac0d4dfc5ba41906a5f8e7de688e6a657c4f321293ac883a1eed68d539b187332f547
-
C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSeMg.exeMD5
f835b41c6c9040ff04d9987c09116327
SHA1eafb2f7e7bd55580c561ef22ae2ed9672ed9c3a7
SHA2568deb8f1bd3d1cbe822956492234313cbd7505aa4e865b3302388ecf53bfaed7e
SHA512f9ff76acd7293f1916074f4dd656ae7f3727799da0135d5e756c18df63cac0d4dfc5ba41906a5f8e7de688e6a657c4f321293ac883a1eed68d539b187332f547
-
memory/184-3-0x0000000000000000-mapping.dmp
-
memory/2896-5-0x0000000000000000-mapping.dmp
-
memory/3272-8-0x0000000000000000-mapping.dmp
-
memory/3540-0-0x0000000000000000-mapping.dmp