Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8Analysis
-
max time kernel
301s -
max time network
102s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-12-2020 14:18
Static task
static1
Behavioral task
behavioral1
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
General
-
Target
Downloads3/finfisher.1.bin.exe
-
Size
771KB
-
MD5
074919f13d07cd6ce92bb0738971afc7
-
SHA1
9f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
-
SHA256
f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
-
SHA512
cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
finfisher.1.bin.exefinfisher.1.bin.exefinfisher.1.bin.exe_svchost.exepid process 5048 finfisher.1.bin.exe 3660 finfisher.1.bin.exe 4312 finfisher.1.bin.exe_ 4412 svchost.exe -
Deletes itself 1 IoCs
Processes:
finfisher.1.bin.exepid process 5048 finfisher.1.bin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
finfisher.1.bin.exedescription pid process target process PID 4808 set thread context of 5048 4808 finfisher.1.bin.exe finfisher.1.bin.exe -
Drops file in Windows directory 18 IoCs
Processes:
finfisher.1.bin.exe_description ioc process File opened for modification C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\12.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\11C.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\11C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\7F.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\02.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\02.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\02C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\80C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\12.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\12C.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\7F.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\7FC.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\80C.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\12C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\11.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\11.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\02C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\7FC.dat finfisher.1.bin.exe_ -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1728 572 WerFault.exe winlogon.exe -
Suspicious behavior: EnumeratesProcesses 1000 IoCs
Processes:
finfisher.1.bin.exe_svchost.exeWerFault.exepid process 4312 finfisher.1.bin.exe_ 4312 finfisher.1.bin.exe_ 4412 svchost.exe 4412 svchost.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe -
Suspicious behavior: LoadsDriver 63766 IoCs
Processes:
pid process 3168 3304 3764 3972 3988 4068 3588 2252 1996 2212 2072 4488 4500 3952 4424 60 2200 2228 2124 4532 4576 4544 4564 4540 4552 4528 4524 4600 1624 4636 4668 4676 4608 4616 4596 4592 4588 4672 4100 4708 2888 4772 4780 4764 2632 2628 4752 4748 4376 2456 244 232 224 216 208 200 192 3160 4432 688 4648 2880 2684 2220 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
finfisher.1.bin.exepid process 5048 finfisher.1.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
finfisher.1.bin.exe_WerFault.exedescription pid process Token: SeBackupPrivilege 4312 finfisher.1.bin.exe_ Token: SeSecurityPrivilege 4312 finfisher.1.bin.exe_ Token: SeDebugPrivilege 1728 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
finfisher.1.bin.exefinfisher.1.bin.exefinfisher.1.bin.exesvchost.exedescription pid process target process PID 4808 wrote to memory of 5048 4808 finfisher.1.bin.exe finfisher.1.bin.exe PID 4808 wrote to memory of 5048 4808 finfisher.1.bin.exe finfisher.1.bin.exe PID 4808 wrote to memory of 5048 4808 finfisher.1.bin.exe finfisher.1.bin.exe PID 4808 wrote to memory of 5048 4808 finfisher.1.bin.exe finfisher.1.bin.exe PID 4808 wrote to memory of 5048 4808 finfisher.1.bin.exe finfisher.1.bin.exe PID 5048 wrote to memory of 3660 5048 finfisher.1.bin.exe finfisher.1.bin.exe PID 5048 wrote to memory of 3660 5048 finfisher.1.bin.exe finfisher.1.bin.exe PID 5048 wrote to memory of 3660 5048 finfisher.1.bin.exe finfisher.1.bin.exe PID 3660 wrote to memory of 4312 3660 finfisher.1.bin.exe finfisher.1.bin.exe_ PID 3660 wrote to memory of 4312 3660 finfisher.1.bin.exe finfisher.1.bin.exe_ PID 5048 wrote to memory of 2152 5048 finfisher.1.bin.exe explorer.exe PID 5048 wrote to memory of 2152 5048 finfisher.1.bin.exe explorer.exe PID 5048 wrote to memory of 2152 5048 finfisher.1.bin.exe explorer.exe PID 4412 wrote to memory of 572 4412 svchost.exe winlogon.exe PID 4412 wrote to memory of 572 4412 svchost.exe winlogon.exe PID 4412 wrote to memory of 572 4412 svchost.exe winlogon.exe PID 4412 wrote to memory of 3152 4412 svchost.exe Explorer.EXE PID 4412 wrote to memory of 3152 4412 svchost.exe Explorer.EXE
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 572 -s 12842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Downloads3\finfisher.1.bin.exe"C:\Users\Admin\AppData\Local\Temp\Downloads3\finfisher.1.bin.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TMPEF00497E\finfisher.1.bin.exe"C:\Users\Admin\AppData\Local\Temp\\TMPEF00497E\finfisher.1.bin.exe"3⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe"C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe_C:\Users\Admin\AppData\Local\Temp\\finfisher.1.bin.exe_5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\svchost.exeC:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\svchost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TMPEF00497E\finfisher.1.bin.exeMD5
074919f13d07cd6ce92bb0738971afc7
SHA19f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
SHA256f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
SHA512cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749
-
C:\Users\Admin\AppData\Local\Temp\TMPEF00497E\finfisher.1.bin.exeMD5
074919f13d07cd6ce92bb0738971afc7
SHA19f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
SHA256f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
SHA512cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exeMD5
837c8e15a154956194219ddf6e26cd09
SHA11f46a8f7799a48512eb1497ffcae35cbb20a67d5
SHA256f18afbad0230af8c7ec7b4c1d25544f3d3445a825861a1de18432de5b4586c7b
SHA51252ea06a084c5f0a87024a9e34cd9aac4ba42285b90e555e6c6eaea7e09cfe259165f7f2019160ee7f4a4e4d02b31acab307ab1bc34dd43b549532041b0299064
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exeMD5
837c8e15a154956194219ddf6e26cd09
SHA11f46a8f7799a48512eb1497ffcae35cbb20a67d5
SHA256f18afbad0230af8c7ec7b4c1d25544f3d3445a825861a1de18432de5b4586c7b
SHA51252ea06a084c5f0a87024a9e34cd9aac4ba42285b90e555e6c6eaea7e09cfe259165f7f2019160ee7f4a4e4d02b31acab307ab1bc34dd43b549532041b0299064
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe_MD5
4f08b7808f785005179bd799d7f02a12
SHA1130212336fe769ef2c82f19fd17f61b69f7d6ecd
SHA256fa5ddd5f044ab5a3817a2a31f3d798d411153da73bbf0d205736283944513e56
SHA512bbf7356450780268beb3a26a4bc03ba78b71ffd00723b6b4c68240e481015e975d5371d20c32075cf0ab4b8bf5862b07edbea8eb0b88b850d8b9bdbfd1a55638
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe_MD5
4f08b7808f785005179bd799d7f02a12
SHA1130212336fe769ef2c82f19fd17f61b69f7d6ecd
SHA256fa5ddd5f044ab5a3817a2a31f3d798d411153da73bbf0d205736283944513e56
SHA512bbf7356450780268beb3a26a4bc03ba78b71ffd00723b6b4c68240e481015e975d5371d20c32075cf0ab4b8bf5862b07edbea8eb0b88b850d8b9bdbfd1a55638
-
C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\svchost.exeMD5
820b2fa51f6f50a94a295bfc8ac381ec
SHA1b23a3b57c8edb6637cc1fc68996929c0151044dd
SHA2561ef2012a955f246880d49731a831ed524d8f73f8ff05da5389ae8056f7805136
SHA5126d84bffb163fbe1470bd736390485f2e2dee44be2240ede789f5d9d54fc63ea9ed84272fab1c65397a38a9700749b74cd4c3fc9dc25517a9a9343fc6ca7c99b7
-
C:\Windows\Installer\{C901E87C-3A7C-4CE1-ACB6-2E40D3DD8CAE}\svchost.exeMD5
820b2fa51f6f50a94a295bfc8ac381ec
SHA1b23a3b57c8edb6637cc1fc68996929c0151044dd
SHA2561ef2012a955f246880d49731a831ed524d8f73f8ff05da5389ae8056f7805136
SHA5126d84bffb163fbe1470bd736390485f2e2dee44be2240ede789f5d9d54fc63ea9ed84272fab1c65397a38a9700749b74cd4c3fc9dc25517a9a9343fc6ca7c99b7
-
memory/1728-14-0x00000195AD280000-0x00000195AD281000-memory.dmpFilesize
4KB
-
memory/1728-17-0x00000195AE0F0000-0x00000195AE0F1000-memory.dmpFilesize
4KB
-
memory/1728-15-0x00000195AD280000-0x00000195AD281000-memory.dmpFilesize
4KB
-
memory/2152-13-0x0000000000000000-mapping.dmp
-
memory/3660-5-0x0000000000000000-mapping.dmp
-
memory/4312-8-0x0000000000000000-mapping.dmp
-
memory/5048-2-0x0000000000401E1F-mapping.dmp