Analysis
-
max time kernel
1801s -
max time network
391s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-12-2020 14:18
General
-
Target
Downloads3/finfisher.1.bin.exe
-
Size
771KB
-
MD5
074919f13d07cd6ce92bb0738971afc7
-
SHA1
9f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
-
SHA256
f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
-
SHA512
cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 18 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6725 IoCs
-
Suspicious behavior: LoadsDriver 468814 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 540 -s 12642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Downloads3\finfisher.1.bin.exe"C:\Users\Admin\AppData\Local\Temp\Downloads3\finfisher.1.bin.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TMPB6D001F0\finfisher.1.bin.exe"C:\Users\Admin\AppData\Local\Temp\\TMPB6D001F0\finfisher.1.bin.exe"3⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe"C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe_C:\Users\Admin\AppData\Local\Temp\\finfisher.1.bin.exe_5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\svchost.exeC:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\svchost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TMPB6D001F0\finfisher.1.bin.exeMD5
074919f13d07cd6ce92bb0738971afc7
SHA19f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
SHA256f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
SHA512cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749
-
C:\Users\Admin\AppData\Local\Temp\TMPB6D001F0\finfisher.1.bin.exeMD5
074919f13d07cd6ce92bb0738971afc7
SHA19f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
SHA256f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
SHA512cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exeMD5
837c8e15a154956194219ddf6e26cd09
SHA11f46a8f7799a48512eb1497ffcae35cbb20a67d5
SHA256f18afbad0230af8c7ec7b4c1d25544f3d3445a825861a1de18432de5b4586c7b
SHA51252ea06a084c5f0a87024a9e34cd9aac4ba42285b90e555e6c6eaea7e09cfe259165f7f2019160ee7f4a4e4d02b31acab307ab1bc34dd43b549532041b0299064
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exeMD5
837c8e15a154956194219ddf6e26cd09
SHA11f46a8f7799a48512eb1497ffcae35cbb20a67d5
SHA256f18afbad0230af8c7ec7b4c1d25544f3d3445a825861a1de18432de5b4586c7b
SHA51252ea06a084c5f0a87024a9e34cd9aac4ba42285b90e555e6c6eaea7e09cfe259165f7f2019160ee7f4a4e4d02b31acab307ab1bc34dd43b549532041b0299064
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe_MD5
4f08b7808f785005179bd799d7f02a12
SHA1130212336fe769ef2c82f19fd17f61b69f7d6ecd
SHA256fa5ddd5f044ab5a3817a2a31f3d798d411153da73bbf0d205736283944513e56
SHA512bbf7356450780268beb3a26a4bc03ba78b71ffd00723b6b4c68240e481015e975d5371d20c32075cf0ab4b8bf5862b07edbea8eb0b88b850d8b9bdbfd1a55638
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe_MD5
4f08b7808f785005179bd799d7f02a12
SHA1130212336fe769ef2c82f19fd17f61b69f7d6ecd
SHA256fa5ddd5f044ab5a3817a2a31f3d798d411153da73bbf0d205736283944513e56
SHA512bbf7356450780268beb3a26a4bc03ba78b71ffd00723b6b4c68240e481015e975d5371d20c32075cf0ab4b8bf5862b07edbea8eb0b88b850d8b9bdbfd1a55638
-
C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\svchost.exeMD5
820b2fa51f6f50a94a295bfc8ac381ec
SHA1b23a3b57c8edb6637cc1fc68996929c0151044dd
SHA2561ef2012a955f246880d49731a831ed524d8f73f8ff05da5389ae8056f7805136
SHA5126d84bffb163fbe1470bd736390485f2e2dee44be2240ede789f5d9d54fc63ea9ed84272fab1c65397a38a9700749b74cd4c3fc9dc25517a9a9343fc6ca7c99b7
-
C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\svchost.exeMD5
820b2fa51f6f50a94a295bfc8ac381ec
SHA1b23a3b57c8edb6637cc1fc68996929c0151044dd
SHA2561ef2012a955f246880d49731a831ed524d8f73f8ff05da5389ae8056f7805136
SHA5126d84bffb163fbe1470bd736390485f2e2dee44be2240ede789f5d9d54fc63ea9ed84272fab1c65397a38a9700749b74cd4c3fc9dc25517a9a9343fc6ca7c99b7
-
memory/1304-14-0x000001BFA6010000-0x000001BFA6011000-memory.dmpFilesize
4KB
-
memory/1304-17-0x000001BFA6E80000-0x000001BFA6E81000-memory.dmpFilesize
4KB
-
memory/1304-15-0x000001BFA6010000-0x000001BFA6011000-memory.dmpFilesize
4KB
-
memory/1364-5-0x0000000000000000-mapping.dmp
-
memory/2348-2-0x0000000000401E1F-mapping.dmp
-
memory/3432-8-0x0000000000000000-mapping.dmp
-
memory/3724-13-0x0000000000000000-mapping.dmp