Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8Analysis
-
max time kernel
62s -
max time network
31s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-12-2020 14:18
Static task
static1
Behavioral task
behavioral1
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
General
-
Target
Downloads3/finfisher.1.bin.exe
-
Size
771KB
-
MD5
074919f13d07cd6ce92bb0738971afc7
-
SHA1
9f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
-
SHA256
f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
-
SHA512
cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
finfisher.1.bin.exefinfisher.1.bin.exefinfisher.1.bin.exe_svchost.exepid process 1796 finfisher.1.bin.exe 2532 finfisher.1.bin.exe 992 finfisher.1.bin.exe_ 1792 svchost.exe -
Deletes itself 1 IoCs
Processes:
finfisher.1.bin.exepid process 1796 finfisher.1.bin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
finfisher.1.bin.exedescription pid process target process PID 740 set thread context of 1796 740 finfisher.1.bin.exe finfisher.1.bin.exe -
Drops file in Windows directory 18 IoCs
Processes:
finfisher.1.bin.exe_description ioc process File created C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\11.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\11.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\02C.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\7F.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\7FC.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\12.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\12C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\02.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\02C.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\11C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\7F.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\80C.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\80C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\12.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\11C.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\12C.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\02.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\7FC.dat finfisher.1.bin.exe_ -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3940 540 WerFault.exe winlogon.exe -
Suspicious behavior: EnumeratesProcesses 161 IoCs
Processes:
finfisher.1.bin.exe_svchost.exeWerFault.exepid process 992 finfisher.1.bin.exe_ 992 finfisher.1.bin.exe_ 1792 svchost.exe 1792 svchost.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe 1792 svchost.exe -
Suspicious behavior: LoadsDriver 6890 IoCs
Processes:
pid process 1952 960 2624 1500 572 3252 1648 2588 728 3912 3908 3416 3748 4048 1540 1760 1076 1280 1264 892 884 796 1080 3924 64 1732 3848 2268 3656 1672 2108 988 3684 4020 4088 3940 592 2008 2276 948 2252 4044 2880 2228 3728 604 1124 1128 1204 1316 1180 720 776 784 2472 2376 2380 3224 3216 2420 768 3140 1896 3872 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
finfisher.1.bin.exepid process 1796 finfisher.1.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
finfisher.1.bin.exe_WerFault.exedescription pid process Token: SeBackupPrivilege 992 finfisher.1.bin.exe_ Token: SeSecurityPrivilege 992 finfisher.1.bin.exe_ Token: SeDebugPrivilege 3940 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
finfisher.1.bin.exefinfisher.1.bin.exefinfisher.1.bin.exesvchost.exedescription pid process target process PID 740 wrote to memory of 1796 740 finfisher.1.bin.exe finfisher.1.bin.exe PID 740 wrote to memory of 1796 740 finfisher.1.bin.exe finfisher.1.bin.exe PID 740 wrote to memory of 1796 740 finfisher.1.bin.exe finfisher.1.bin.exe PID 740 wrote to memory of 1796 740 finfisher.1.bin.exe finfisher.1.bin.exe PID 740 wrote to memory of 1796 740 finfisher.1.bin.exe finfisher.1.bin.exe PID 1796 wrote to memory of 2532 1796 finfisher.1.bin.exe finfisher.1.bin.exe PID 1796 wrote to memory of 2532 1796 finfisher.1.bin.exe finfisher.1.bin.exe PID 1796 wrote to memory of 2532 1796 finfisher.1.bin.exe finfisher.1.bin.exe PID 2532 wrote to memory of 992 2532 finfisher.1.bin.exe finfisher.1.bin.exe_ PID 2532 wrote to memory of 992 2532 finfisher.1.bin.exe finfisher.1.bin.exe_ PID 1796 wrote to memory of 1344 1796 finfisher.1.bin.exe explorer.exe PID 1796 wrote to memory of 1344 1796 finfisher.1.bin.exe explorer.exe PID 1796 wrote to memory of 1344 1796 finfisher.1.bin.exe explorer.exe PID 1792 wrote to memory of 540 1792 svchost.exe winlogon.exe PID 1792 wrote to memory of 540 1792 svchost.exe winlogon.exe PID 1792 wrote to memory of 540 1792 svchost.exe winlogon.exe PID 1792 wrote to memory of 3016 1792 svchost.exe Explorer.EXE PID 1792 wrote to memory of 3016 1792 svchost.exe Explorer.EXE
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:540
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 540 -s 12642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\Downloads3\finfisher.1.bin.exe"C:\Users\Admin\AppData\Local\Temp\Downloads3\finfisher.1.bin.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\TMPD35571CE\finfisher.1.bin.exe"C:\Users\Admin\AppData\Local\Temp\\TMPD35571CE\finfisher.1.bin.exe"3⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe"C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe_C:\Users\Admin\AppData\Local\Temp\\finfisher.1.bin.exe_5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1344
-
C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\svchost.exeC:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\svchost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵PID:3012
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵PID:496
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵PID:2892
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵PID:3780
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵PID:2996
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵PID:2384
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TMPD35571CE\finfisher.1.bin.exeMD5
074919f13d07cd6ce92bb0738971afc7
SHA19f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
SHA256f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
SHA512cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749
-
C:\Users\Admin\AppData\Local\Temp\TMPD35571CE\finfisher.1.bin.exeMD5
074919f13d07cd6ce92bb0738971afc7
SHA19f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
SHA256f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
SHA512cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exeMD5
837c8e15a154956194219ddf6e26cd09
SHA11f46a8f7799a48512eb1497ffcae35cbb20a67d5
SHA256f18afbad0230af8c7ec7b4c1d25544f3d3445a825861a1de18432de5b4586c7b
SHA51252ea06a084c5f0a87024a9e34cd9aac4ba42285b90e555e6c6eaea7e09cfe259165f7f2019160ee7f4a4e4d02b31acab307ab1bc34dd43b549532041b0299064
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exeMD5
837c8e15a154956194219ddf6e26cd09
SHA11f46a8f7799a48512eb1497ffcae35cbb20a67d5
SHA256f18afbad0230af8c7ec7b4c1d25544f3d3445a825861a1de18432de5b4586c7b
SHA51252ea06a084c5f0a87024a9e34cd9aac4ba42285b90e555e6c6eaea7e09cfe259165f7f2019160ee7f4a4e4d02b31acab307ab1bc34dd43b549532041b0299064
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe_MD5
4f08b7808f785005179bd799d7f02a12
SHA1130212336fe769ef2c82f19fd17f61b69f7d6ecd
SHA256fa5ddd5f044ab5a3817a2a31f3d798d411153da73bbf0d205736283944513e56
SHA512bbf7356450780268beb3a26a4bc03ba78b71ffd00723b6b4c68240e481015e975d5371d20c32075cf0ab4b8bf5862b07edbea8eb0b88b850d8b9bdbfd1a55638
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe_MD5
4f08b7808f785005179bd799d7f02a12
SHA1130212336fe769ef2c82f19fd17f61b69f7d6ecd
SHA256fa5ddd5f044ab5a3817a2a31f3d798d411153da73bbf0d205736283944513e56
SHA512bbf7356450780268beb3a26a4bc03ba78b71ffd00723b6b4c68240e481015e975d5371d20c32075cf0ab4b8bf5862b07edbea8eb0b88b850d8b9bdbfd1a55638
-
C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\svchost.exeMD5
820b2fa51f6f50a94a295bfc8ac381ec
SHA1b23a3b57c8edb6637cc1fc68996929c0151044dd
SHA2561ef2012a955f246880d49731a831ed524d8f73f8ff05da5389ae8056f7805136
SHA5126d84bffb163fbe1470bd736390485f2e2dee44be2240ede789f5d9d54fc63ea9ed84272fab1c65397a38a9700749b74cd4c3fc9dc25517a9a9343fc6ca7c99b7
-
C:\Windows\Installer\{AAF744F8-4D58-4A0F-818A-09C31641F054}\svchost.exeMD5
820b2fa51f6f50a94a295bfc8ac381ec
SHA1b23a3b57c8edb6637cc1fc68996929c0151044dd
SHA2561ef2012a955f246880d49731a831ed524d8f73f8ff05da5389ae8056f7805136
SHA5126d84bffb163fbe1470bd736390485f2e2dee44be2240ede789f5d9d54fc63ea9ed84272fab1c65397a38a9700749b74cd4c3fc9dc25517a9a9343fc6ca7c99b7
-
memory/992-8-0x0000000000000000-mapping.dmp
-
memory/1344-13-0x0000000000000000-mapping.dmp
-
memory/1796-2-0x0000000000401E1F-mapping.dmp
-
memory/2532-5-0x0000000000000000-mapping.dmp
-
memory/3940-14-0x000002E0E3370000-0x000002E0E3371000-memory.dmpFilesize
4KB
-
memory/3940-15-0x000002E0E41E0000-0x000002E0E41E1000-memory.dmpFilesize
4KB