Analysis
-
max time kernel
599s -
max time network
601s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-11-2020 15:24
Static task
static1
Behavioral task
behavioral1
Sample
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe
Resource
win10v20201028
General
-
Target
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe
-
Size
163KB
-
MD5
b40dec21d0c3061bef422bb946366cba
-
SHA1
78f59be833fe8a504a0def218d72aef62823bdaf
-
SHA256
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2
-
SHA512
721395dcdd5ce25158869aabd2094b4ebd90d0b75ce92df706d8442f18e522aeef82277317c6d6a05f1b2fb233908b5e55ddcbb6d0b8f3a601d254377411a7c3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SearchFilterHost.exepid process 1508 SearchFilterHost.exe -
Deletes itself 1 IoCs
Processes:
iexplore.exepid process 1840 iexplore.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SmartAudio = "C:\\ProgramData\\DRM\\Windows\\SearchFilterHost.exe" 73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
iexplore.exepid process 1840 iexplore.exe 1840 iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1840 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exeSearchFilterHost.exeiexplore.exedescription pid process Token: SeTcbPrivilege 3160 73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe Token: SeDebugPrivilege 3160 73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe Token: SeTcbPrivilege 1508 SearchFilterHost.exe Token: SeDebugPrivilege 1508 SearchFilterHost.exe Token: SeTcbPrivilege 1840 iexplore.exe Token: SeDebugPrivilege 1840 iexplore.exe -
Suspicious use of SetWindowsHookEx 593 IoCs
Processes:
iexplore.exepid process 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe 1840 iexplore.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exeSearchFilterHost.exedescription pid process target process PID 3160 wrote to memory of 1508 3160 73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe SearchFilterHost.exe PID 3160 wrote to memory of 1508 3160 73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe SearchFilterHost.exe PID 3160 wrote to memory of 1508 3160 73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe SearchFilterHost.exe PID 1508 wrote to memory of 1840 1508 SearchFilterHost.exe iexplore.exe PID 1508 wrote to memory of 1840 1508 SearchFilterHost.exe iexplore.exe PID 1508 wrote to memory of 1840 1508 SearchFilterHost.exe iexplore.exe PID 1508 wrote to memory of 1840 1508 SearchFilterHost.exe iexplore.exe PID 1508 wrote to memory of 1840 1508 SearchFilterHost.exe iexplore.exe PID 1508 wrote to memory of 1840 1508 SearchFilterHost.exe iexplore.exe PID 1508 wrote to memory of 1840 1508 SearchFilterHost.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe"C:\Users\Admin\AppData\Local\Temp\73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\DRM\Windows\SearchFilterHost.exeC:\ProgramData\DRM\Windows\SearchFilterHost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DRM\Windows\SearchFilterHost.exeMD5
b40dec21d0c3061bef422bb946366cba
SHA178f59be833fe8a504a0def218d72aef62823bdaf
SHA25673bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2
SHA512721395dcdd5ce25158869aabd2094b4ebd90d0b75ce92df706d8442f18e522aeef82277317c6d6a05f1b2fb233908b5e55ddcbb6d0b8f3a601d254377411a7c3
-
C:\ProgramData\DRM\Windows\SearchFilterHost.exeMD5
b40dec21d0c3061bef422bb946366cba
SHA178f59be833fe8a504a0def218d72aef62823bdaf
SHA25673bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2
SHA512721395dcdd5ce25158869aabd2094b4ebd90d0b75ce92df706d8442f18e522aeef82277317c6d6a05f1b2fb233908b5e55ddcbb6d0b8f3a601d254377411a7c3
-
memory/1508-0-0x0000000000000000-mapping.dmp
-
memory/1840-3-0x0000000000000000-mapping.dmp