Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-11-2020 16:34
Static task
static1
Behavioral task
behavioral1
Sample
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe
Resource
win10v20201028
General
-
Target
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe
-
Size
163KB
-
MD5
b40dec21d0c3061bef422bb946366cba
-
SHA1
78f59be833fe8a504a0def218d72aef62823bdaf
-
SHA256
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2
-
SHA512
721395dcdd5ce25158869aabd2094b4ebd90d0b75ce92df706d8442f18e522aeef82277317c6d6a05f1b2fb233908b5e55ddcbb6d0b8f3a601d254377411a7c3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SearchFilterHost.exepid process 1988 SearchFilterHost.exe -
Deletes itself 1 IoCs
Processes:
iexplore.exepid process 2004 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 448 IoCs
Processes:
iexplore.exedllhost.exedllhost.exepid process 2004 iexplore.exe 2004 iexplore.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 1928 dllhost.exe 1928 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 2012 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exeSearchFilterHost.exeiexplore.exedllhost.exedllhost.exedescription pid process Token: SeTcbPrivilege 1424 73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe Token: SeDebugPrivilege 1424 73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe Token: SeTcbPrivilege 1988 SearchFilterHost.exe Token: SeDebugPrivilege 1988 SearchFilterHost.exe Token: SeTcbPrivilege 2004 iexplore.exe Token: SeDebugPrivilege 2004 iexplore.exe Token: SeTcbPrivilege 1928 dllhost.exe Token: SeDebugPrivilege 1928 dllhost.exe Token: SeTcbPrivilege 2012 dllhost.exe Token: SeDebugPrivilege 2012 dllhost.exe -
Suspicious use of SetWindowsHookEx 136 IoCs
Processes:
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exedllhost.exepid process 1424 73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe 2012 dllhost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
SearchFilterHost.exeiexplore.exedescription pid process target process PID 1988 wrote to memory of 2004 1988 SearchFilterHost.exe iexplore.exe PID 1988 wrote to memory of 2004 1988 SearchFilterHost.exe iexplore.exe PID 1988 wrote to memory of 2004 1988 SearchFilterHost.exe iexplore.exe PID 1988 wrote to memory of 2004 1988 SearchFilterHost.exe iexplore.exe PID 1988 wrote to memory of 2004 1988 SearchFilterHost.exe iexplore.exe PID 1988 wrote to memory of 2004 1988 SearchFilterHost.exe iexplore.exe PID 1988 wrote to memory of 2004 1988 SearchFilterHost.exe iexplore.exe PID 1988 wrote to memory of 2004 1988 SearchFilterHost.exe iexplore.exe PID 2004 wrote to memory of 1928 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 1928 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 1928 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 1928 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 1928 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 1928 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 1928 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 1928 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 2012 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 2012 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 2012 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 2012 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 2012 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 2012 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 2012 2004 iexplore.exe dllhost.exe PID 2004 wrote to memory of 2012 2004 iexplore.exe dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe"C:\Users\Admin\AppData\Local\Temp\73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\DRM\Windows\SearchFilterHost.exeC:\ProgramData\DRM\Windows\SearchFilterHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DRM\Windows\SearchFilterHost.exeMD5
b40dec21d0c3061bef422bb946366cba
SHA178f59be833fe8a504a0def218d72aef62823bdaf
SHA25673bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2
SHA512721395dcdd5ce25158869aabd2094b4ebd90d0b75ce92df706d8442f18e522aeef82277317c6d6a05f1b2fb233908b5e55ddcbb6d0b8f3a601d254377411a7c3
-
memory/1928-2-0x0000000000000000-mapping.dmp
-
memory/2004-1-0x0000000000000000-mapping.dmp
-
memory/2012-3-0x0000000000000000-mapping.dmp